Trojan delivers unwanted gift to Windows PCs (http://news.com.com/2100-7349-6011406.html?tag=tb) -- CNet News.com
The Trojan, dubbed Exploit-WMF (Windows Meta File), was rated a category 2 level risk, meaning it had the potential to continue to spread, said Dave Cole, director of security response at Symantec.
...
The WMF vulnerability affects computers running Windows XP with service pack 1 and service pack 2, as well as Windows Server 2003 with service pack 0 and service pack 1. It can be exploited when an Internet Explorer user, or Firefox user under certain circumstances, visits a Web site that has malicious code on it or when a user previews .wmf (http://en.wikipedia.org/wiki/Windows_Metafile) format files with Windows Explorer, Kaspersky said in a statement. (emphasis and link added)

Also: Kaspersky Lab statement (http://www.viruslist.com/en/alerts?alertid=176701669) and information; Microsoft Security Advisory (http://www.microsoft.com/technet/security/advisory/912840.mspx).

Tips to avoid this one:
Update your anti-virus definitions.
Do not download files with .wmf extensions. These are typically image files.
Set Internet Explorer security settings to "high". Also, make sure you have Automatic Updates enabled; that way, you'll get the patch from Microsoft as soon as it's made available. I wrote a tutorial (http://mousepad.mouseplanet.com/showpost.php?p=698947&postcount=2) on these topics earlier this year.
Ordinarily I would also suggest using Firefox (http://www.getfirefox.com/) (or Opera (http://www.opera.com/)) instead of Internet Explorer, but as it turns out this vulnerability is a problem in the Windows Graphics Rendering Engine, not just IE.

More info, including several informative links, from this WashingtonPost.com story (http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html):
The exploit code, first posted on security mailing list Bugtraq, states that the included Internet address can successfully exploit a fully patched Windows XP system with a freshly updated [Symantec] Norton Anti-Virus. Symantec said it has verified that the exploit works on fully-patched Windows XP systems, and that updates that would allow its anti-virus program to detect threats trying to exploit the new flaw would be released as soon as possible, though it noted that "some of the components of this attack, including the exploit itself, are NOT detected by Symantec products."

According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program onto fully patched Windows XP SP2 machines (other Windows versions may also be affected.) The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine. The story includes a temporary workaround to disable Windows' rendering of WMF files.

Be especially careful if you are using Google Desktop (http://desktop.google.com/about.html); F-Secure reports (http://www.f-secure.com/weblog/#00000753) that simply downloading--not even opening!--a malicious WMF file can cause infection, because Google Desktop opens and indexes new files in real time as they're downloaded.

...the exploit is now being used by thousands of Web sites to install a bogus anti-spyware application that is fairly tedious to remove from infected machines. Also, Websense says the program "prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances.

This sounds (and looks) identical to the "spyaxe.exe" that was getting through everyone's spyware and virus applications a few weeks ago (mostly from visiting certain Porn sites). McAfee, AdAware and Spybot all updated to take care of that. Don't know about Symantics or Microsoft. But it sounds like the bad boys might have found a new delivery method? Or perhaps this is the same thing?

The pop-up announcing your machine has been infected and soliciting a removal program looks pretty much the same and is worded exactly the same. Spyaxe actually gave a little pop-up from your taskbar that looked just like a Windows pop-up warning. So lots of folks were clicking on it. Looks like this new thing does the same but the pop-ups have different appearances.

But it sounds like the bad boys might have found a new delivery method? Or perhaps this is the same thing?
"Different... but the same." -- Ox

Same type of infection, different vector. Worse, the malicious .wmf files can be renamed to .jpg or .tiff, and the Windows Graphics Rendering Engine will still open them. Until the rendering engine is fixed and AV definitions are updated, best to apply the temporary workaround found here (http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html).

Seems like a good reason to switch to either Macintosh or Linux.

I just thought of one browser that's probably completely immune: Lynx. Because it doesn't do graphics.

I just thought of one browser that's probably completely immune: Lynx. Because it doesn't do graphics.
If you use Lynx to download a malicious .wmf file, the result will be the same as if you'd used IE or Firefox or Opera. The problem is not in the browser, except in that IE will usually open the file automatically whereas Firefox, Opera, and (I assume) Lynx will ask if the file should be opened. If you open the file, you are infected.

Unless you're using Google Desktop or another indexing service, which opens new files automatically.

This vulnerability affects all Windows users.

Until the rendering engine is fixed and AV definitions are updated, best to apply the temporary workaround found here (http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html).

Yep. I did that immediately when I first read about it. But not before taking a few seconds to set a manual Restore Point before I did, just in case I screwed anything up. ;)

So far as I know, there's no client-side version of Lynx; it runs in a terminal emulation session on your ISP's host, which is why it doesn't process graphics at all.

Lynx can be used client-side. I work for a web company and have a client installed on my work PC (runs under the Windows XP command line) for occasional checking pages to verify they can be read by search bots or screen readers.

-Jeff

Update:

http://www.microsoft.com/technet/security/advisory/912840.mspx

January 3, 2006

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

That last line seems to be confirmed by McAfee, who just updated their DAT files to detect for this today:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=137760

-- January 3, 2006 --

Exploit-WMF detection was enhanced in today's DAT release, version 4666, to proactively protect against exploits that may use slightly different WMF properties. As always, McAfee AVERT urges customers to update to the latest DAT files.

To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems.

I'm told that's a very low number for such things. Apparently limited by the only handful of web sites that ever had this puppy in them.

Anyway, looks like we'll have the official patch by next week.

Microsoft patch for WMF flaw to be released Jan. 10
But security experts recommend installation of an unofficial patch now (http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420,00.html)

Computerworld, January 3

QuikQuote:
Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC Web site

"We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston wrote in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston wrote.

Looks like Microsoft felt the patch was ready to go ahead of the Jan 10 scheduled estimate, and they released yesterday Jan 5.

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

If your auto-updater hasn't downloaded and installed it yet, you can do a manual.

If your auto-updater hasn't downloaded and installed it yet, you can do a manual.
If you don't have Automatic Updates enabled, what are you waiting for?
Click Start - Control Panel - System. On the System Properties dialog, select the Automatic Updates tab. Select "Automatic" if it isn't already. Leave the default of 3:00 AM; if your computer isn't on at 3:00 AM, it'll just check for updates whenever you boot up next.
All of my machines were updated when I got to work this morning.

If you don't have Automatic Updates enabled, what are you waiting for?

All of our machines (and my laptop here on-the-road) were auto-updated last night as well.

But some folks don't like (or trust) auto-update and have selected to be "notified only" of any updates and they decide which ones they wish to download and install. Given some of the headaches generated by faulty Service Packs and other buggy updates from Microsoft in the past...I can't say I blame them too much for wanting to wait a bit to see how the reports come in from others on how the update actually performs and if there are any conflicts.

But we've only ever experienced two of those problems and one was very minor and the other was quickly (re)fixed by Microsoft, so we have auto-update turned on to download and install automatically now.

And on this particular patch...I certainly wouldn't wait around for feedback.

Yep. Forgot to post last night. I uninstalled the Guilfanov patch (very easily, I might add), then ran the update.

(I automatically download updates, but then I install them myself. I like to have that control just in case it's something that requires a reboot and I may be in the middle of something when it installs and can't reboot immediately.)