Is This True

Date: 14:04:31 on Tuesday, January 03, 2006
Name: Helpful Horace
Subject: New Microsoft Vulnerability - IMPORTANT

Firstly - A disclaimer - I do not profess to understand any of the computer-speak in the following and I can't offer any more help than posting it here for you to make your own judgement on what you do and how you deal with it.

It appears there is a vulnerability in windows which will allow malicious code to enter your PC through graphics files (pictures).

I found this on another forum and trust the poster to have provided the correct information. All the links seem to suggest that there is a potential problem and Microsoft will not be providing a patch until mid January. There is an unofficial patch included within the following:

Copied from another forum:

Short story: If you use windows, run this unofficial patch file as soon as physically possible, particularly if you use your computer for anything critical (banking, stockmarket, etc). Please pass this information on to your friends.
FILE : http://handlers.sans.org/tliston/wmffix_hexblog13.exe
---

Long Story:

Hello all,

A new Windows exploit is spreading rather fast and by design is rather difficult to prevent. Since it spreads through graphics files (WMF data structures within files labelled .wmf,.jpg,.png,.gif,.bmp), you can be affected by email,web or MSN. Exploit code has been in the wild since Dec 27th 2005.

In particular it can affect even up to date windows XP SP2 systems or
Windows 2K SP4 systems. When you view a particular type of picture,
arbitary code can be executed without your knowledge.

Info here:
(http://isc.sans.org/diary.php?storyid=994)
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.theregister.co.uk/2005/12/29/wmf_trojan_alert/

Microsoft have not yet issued a official patch.
However, an unofficial patch is available here:
http://handlers.sans.org/tliston/wmffix_hexblog13.exe

I recommend downloading and running the "wmffix_hexblog13.exe" program as soon as possible, particularly if you use your computer for internet
banking or similar. The content of the wmffix program has been verified by several large security firms as being safe.

http://www.f-secure.com/weblog/archives/archive-122005.html
http://isc.sans.org/diary.php?date=2005-12-31

Please pass this email onto your friends ASAP. I appreciate that is the
opposite of the advice I normally give about passing on emails warning
about viruses! However I fear this will be 'the big one' of 2005/2006 given how many vectors for this exploit already exist within days.

comp.

p.s. As of this year, I'm recommending anyone who asks about computers to buy an Apple Mac.

p.p.s. Why didn't you hear of this before? It's new year. The exploits only first showed up on the 27th/28th. Everyone is still on holiday.

p.p.p.s If you are a computing professional and you have just verified that what I have written is true, please recommend this post.

p.p.p.p.s. Seriously, please tell your friends.



Q & A :

Q. "Is it dangerous?"

Well, a variant of the ones going around just now could delete all your files, reformat your hard disk, steal any passwords you type in, and log every key you press on your keyboard. In short YES IT'S DANGEROUS.

Q. "Can I trust that patch?"

Yes. It's written by one of the minor gods of computing. It's been verified by several big security agencies including anti-virus firms and you can find out plenty about it if you google it, so I'm not asking you to do this blind. As best as I can tell, it's genuine.

But turn off web browser images first before you make any attempt to verify it, PLEASE!

Q. Will my virus checker pick it up?

Almost certainly not. Maybe 10% chance.

Some virus checkers are trying to pick things up but the exploit is mutating so fast that it's hard to keep up. The original source apparently allows random sized images, random filenames, all sorts of randomness that makes it very hard to pick up. With new worms/viruses based on this coming out on an hourly basis, it's a NOT GOOD situation.

Some people have their virus checkers set to only check .exe and .dll files. They will never pick it up.

Some people do not update their checker more frequently than every 7 days. They will not pick it up.

Please, apply that patch.

Q. Why is there no patch from microsoft?

Beats me. They've had 4 days. Maybe it's because it's new year. I believe it's because they don't want to issue a patch that will break i.e. word, publisher, etc. in any way. However, the exploited code is buried deep in some really old image handling code. It's hard to see how they can fix it *without* potentially breaking older software that companeis may be relying on. Also, the outbreak of different vectors (MSN-virus, email worms) has only really taken off in the last day or two.

Q. "If have win98. Am I at risk"

No idea. I'd say 50/50 chance.

Try typing this in the 'start/run' box.

regsvr32 -u %windir%\system32\shimgvw.dll

It will disable the affected library if it exists. It is reversible and you can reverse it when a real patch comes out.

Q. Can I run that command on windows 2000/XP?

Yes! It's worth running that start/run command even on windows 2000/XP systems, since it will help protect them. Best to have a belt and bracers, so to speak.

Q. Finally.

Please tell everyone you know about the URLS with information on this. (i.e. www.theregister.co.uk). If we can get word out fast, hopefully we can prevent an epidemic before a malicious form of this gets out that does REAL damage (nothing to stop them reformatting your hard disk as it stands!).


from another site seas

 

thanks mate