Since no news about it is posted here.. F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write. Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet. A number of trojans are being distributed using the vulnerability, related to Windows' image rendering. F-Secure says you can get blatted if you visit a site with an image file containing the exploit. IE users may automatically be infected. Firefox users can get infected if the image file is downloaded. There's more solid advice at F-Secure. We await a patch from Microsoft. Full article and source More info from F-Secure ------ Microsoft has officially put out a statement, check it out at: http://www.microsoft.com/technet/security/...ory/912840.mspx It looks some folks are being able to mitigate or momentarily fix the vulnerability by typing the following command: REGSVR32 /U SHIMGVW.DLL ------- Complete step: To un-register Shimgvw.dll, follow these steps: 1. Click Start, click Run, type regsvr32 /u shimgvw.dll, and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with regsvr32 shimgvw.dll.
Irfanview, XnView, Picasa, Acdsee ------- more info: from neowin That's what you will see on your system tray too if you are infected.
I think it doesn't care what image viewer you use. As long it is executed, the worm start. If the file is saved locally DO NOT EVEN HOVER OVER IT!! Even if its on your desktop without a preview it will allow the exploit to run. The only workaround right now is to unregister SHIMGVW.DLL.
Hmm... I use Firehand Ember. It takes over the previewing and viewing of pictures. So do I still need to unregister that DLL?
WMF patch released early. Security Update for Windows XP (KB912919) Here's the other platforms also: Security Update for Windows Server 2003 (KB912919) Security Update for Windows 2000 (KB912919) Security Update for Windows XP x64 Edition (KB912919) Security Update for Windows Server 2003 64-bit Itanium Edition (KB912919) The Security bulletin ( MS06-001 ) is now available and confirms this covers the WMF vulnerability. Graphics Rendering Engine Vulnerability - CVE-2005-4560: Recommendation for updating: 1. Reboot your system to clear any vulnerable files from memory 2. Download and apply the new patch 3. Reboot 4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this: msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn 5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"): regsvr32 %windir%\system32\shimgvw.dll 6. Reboot one more time just for good measure http://isc.sans.org/
I got this infection on my computer a couple times and it wasn't pretty. It contiually pops up that infested box in the bottom right and doesn't let you change you backround. Ad-aware detects some of it and removes it but it reinstalls itself. I have to do a complete reformat/reinstall to get rid of it. Thanks for the info about what this was! Will
