NEWS from ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
ivynajspyder
Dec. 29th, 2005 11:10 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
here_inmyheadJust thought I'd alert people as well. Whatever you do, do NOT go on Google Image Search, Wikipedia, Ebay, or anything similiar for a while... instead, click here and download the proper trial. Read on about the latest virus outbreak, info copied from the forums:
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has embedded a virus in his signature today and was already permabanned for it.)
WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. Here's a video of what this version is doing: http://www.websensesecuritylabs.com...s/wmf-movie.wmv (thanks Merijin).
WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the definitions right away after installing - they auto-update but you want to be sure you have the latest. (Your goal is to have an antivirus software with a realtime scanner that detects the exploit itself, and not just the payload that it drops. NOD32 does this, at least for this variant.)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it outright (the bloodhound heuristics may) but Symantec's own site says that it possibly may never work fully for this due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache, before it was able to execute anything. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.
2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!
3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.
4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.
5. USE COMMON SENSE - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.
6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.
7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the places this image has been popping up are: eBay XBOX auctions, porn sites, google image search, wikipedia, myspace, other forums, etc - places where people can post their own images. If you have a competent realtime scanner that can catch the image before it executes anything you are ahead of the game here.
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has embedded a virus in his signature today and was already permabanned for it.)
WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). It does not do anything by itself until it is activated. There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. Here's a video of what this version is doing: http://www.websensesecuritylabs.com...s/wmf-movie.wmv (thanks Merijin).
WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION is a good one. Update the definitions right away after installing - they auto-update but you want to be sure you have the latest. (Your goal is to have an antivirus software with a realtime scanner that detects the exploit itself, and not just the payload that it drops. NOD32 does this, at least for this variant.)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it outright (the bloodhound heuristics may) but Symantec's own site says that it possibly may never work fully for this due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache, before it was able to execute anything. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.
2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!
3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.
4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.
5. USE COMMON SENSE - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.
6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.
7. AVOID IMAGE SEARCHING and visiting webpages you don't trust. Some of the places this image has been popping up are: eBay XBOX auctions, porn sites, google image search, wikipedia, myspace, other forums, etc - places where people can post their own images. If you have a competent realtime scanner that can catch the image before it executes anything you are ahead of the game here.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-12-29 05:27 pm (UTC)*gives the program a try*
no subject
Date: 2005-12-29 05:28 pm (UTC)no subject
Date: 2005-12-29 05:34 pm (UTC)Thanks for the heads up, though :(
no subject
Date: 2005-12-29 06:30 pm (UTC)http://securityresponse.symantec.com/avcenter/security/Content/10120.html
You see? It's been discovered and fixed for quite a while, actually.
There was one more recently, but still back in November.
http://securityresponse.symantec.com/avcenter/security/Content/15352.html
If your Windows is set to automatically download high priority updates, which I'm sure it is since they're set that way to default right out of the box, then you are perfectly safe. Your computer downloaded the updates a month ago and you probably never even noticed.
It's why none of you have gotten it yet. =3
If, however, you don't think your machine has updated properly, just look for which version of Windows you have in the list at the bottom of that page and click the link it gives. That will download the update manually and fix the problem. <3<3
This is why I always go through and do research. Because I use Google Image and Wikipedia -all- the time and I've never had any problems. One any of our three computers. Using both Firefox -and- IE.
So... there you go~
Oh, and don't bother with that stupid 30day trial thing. If you want a good virus program, use AVGFree.
Why? Because it automatically updates itself and it's perfectly -free- for home use. They won't leave you unprotected and lost while you have to fork out money and money and money.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Right there~ <3
Don't bother with trials. They're more freaking hassle than they're worth! =O
You might wanna do your Friends list a favour and maybe repost this in a separate post, Puri? o.o So people will know not to go running out after that trial thingy. ;;; It's a way for the companies to get you to put their product on your machine so they can pester the hell out of you so you'll pay them money.
AVG doesn't do that. <3<3
no subject
Date: 2005-12-29 08:59 pm (UTC)no subject
Date: 2005-12-29 10:30 pm (UTC)no subject
Date: 2005-12-30 05:19 am (UTC)