3:30 PM - Microsoft has released their patch for the WMF Vulnerability for Windows 2000, XP, and 2003.
Go to the Start Menu>Windows Update (or Microsoft Update) to let Microsoft's standard update process install the patch, or search Microsoft's Download center for KB912919.
OR JUST SURF TO http://windowsupdate.microsoft.com
(Sorry, NT and Win9X/ME users- TIME TO UPGRADE. Note that Windows 2000 Professional is the preferred FIX for Win 9X and ME; get the UPGRADE version if you intend to go this route.)

The patch is COMPATIBLE with the Third-Party patch of Ilfak Guilfanov, but we suggest you uninstall Mr. Guilfanov's patch AFTER installing the Microsoft patch from Windows Update. (The removal process will require an ADDITIONAL Reboot.) To remove the Third-Party patch, go to:
Control Panel>Add Remove Software>"Windows WMF Metafile Vulnerability HotFix" and hit the REMOVE button.
You may also wish to re-register support for WMF files, by running the OPPOSITE of the Unregister function.
(NOTE: DON'T DO THIS UNTIL YOU HAVE INSTALLED THE MICROSOFT PATCH AND YOUR PC HAS BEEN REBOOTED!)
To do this, we refer you to the ORIGINAL instructions, below. See the second part about UNDOING this change.
The line to enter in Start Menu>Run (and hit return) is:
regsvr32 %windir%\system32\shimgvw.dll

NOTE: Under no way does this mean that Windows is secure. However, this fix from Microsoft of the flaw in the WMF graphic format closes a gaping wound in Windows security. We continue to ask users to surf the web with Mozilla Firefox (keep it current and updated!) instead of Microsoft's Internet Explorer; to install and run automatically both anti-spyware AND anti-virus utilities, and to exercise extreme caution in all their dealings with information from (and about) the Internet.

The faster everyone installs this Microsoft patch the better off we will all be...

1/3/2006 Update:
Microsoft has a fix- but will not release it until January 10th, as part of the regularly scheduled Windows Update program. (Thank you, Microsoft...) We continue to hear about infected computers from vendors, clients, friends, and family. Entire networks are being shut down due to serious infestations.
   The Hexblog.net website is down, probably overwhelmed as it had been offering the preferred fix for the WMF Vulnerability.
   The website was at: http://www.hexblog.com/2005/12/wmf_vuln.html
   An alternative site for this patch is (immediate download) from:
http://handlers.sans.org/tliston/wmffix_hexblog11.exe
   Read the 12/31/05 Update below for cautions about this patch; you may want to uninstall it before Microsoft's January 10th Windows Update to avoid possible conflicts.
   There are only two possible defences for this problem at this point in time- The RegSrv32 Patch for Windows XP / 2003 (see below for instructions) and the Third-Party patch by the computer scientist Ilfak Guilfanov (hexblog.com) - Whose site is currently down; the patch can be downloaded from the alternative site listed above.

1/1/2006 Update:
We are now maintaining a Discussion List of these posts at:
http://www.aota.net/forums/showthread.php?p=143053
CAUTION: MS Paint (Microsoft's simple little paint program) is DANGEROUS. MS Paint apparently bypasses the fix installed for Windows XP by the popular RegSrv32 patch (which we suggest for all Windows XP users and is outlined below), according to FSecure. You will still be vulnerable to the WMF Vulnerability if you open files in MS Paint- Avoid using this program until this problem has a fix from Microsoft itself.
The WMF Vulnerability problem continues to evolve, and grow more complex. Additional WMF Vulnerabilities appear to have been discovered by the "Bad Guys". There is a "Happy New Year" email going around using one of the newer techniques, and a "*.jpg" file that is actually a re-named WMF file; it will infect your computer if read or seen in a "preview" window.
   Please note that Preview functions in Email are very dangerous and should be turned OFF, unless you have Windows XP and have disabled WMF support as described in the original warning message below. (Or have Windows 2000 Pro and have installed the Third Party Patch, also described in the 12/31/05 Update below.) And the Google Toolbar (among other third-party Search tools) will index this file if downloaded and will then execute the attached software and infect your computer WITHOUT needing Preview, if you have not taken any of the defensive measures discussed here.
An excellent site for keeping up to date with this problem is:
http://www.f-secure.com/weblog/
   FSecure has been on the "bleeding edge" of this problem, and they have a chatty but educational running discussion of new issues, updates, fixes, and problems with the WMF Vulnerability.
New Repair Tools:
   For a discussion of repair after infection, see:
http://forums.spywareinfo.com/index.php?showtopic=61446
   The "cure" outlined there is time consuming and quite technical.
Some new tools include:
Fsecure has a free RootKit detector, BlackLight, for a limited time:
http://www.f-secure.com/blacklight/
Sysinternals has a free RootKit Detector at:
http://www.sysinternals.com/utilities/rootkitrevealer.html
Ewido is specifically designed to detect and attack Trojans, such as Keyloggers. This is a very popular attack mode for the WMF Vulnerability. They offer a 14 day free trial:
http://www.ewido.net/en/
SpySweeper PC Magazine top-rated this product. It costs $25 per year, and has some installation issues, especially with the free 30 day trial. Still, it detects RootKits and many other sophisticated threats:
http://www.webroot.com/consumer/products/spysweeper/index.html
   Note: This problem is NOT OVER once you have applied one of the suggested fixes below. It continues to evolve. We are all under attack by serious programmers looking for big money rewards.

12/31/05 Update:
   Reports are that Microsoft is frantically trying to develop a patch for this problem. However, some people could not wait, including the computer scientist Ilfak Guilfanov (hexblog.com) who would not allow this problem to exist on HIS machine any longer. So he fixed it. This patch installs a special DLL that removes the software hook that the WMF Vulnerability uses. It may cause problems with some software. It has only been tested on Windows XP, 2003, and Windows 2000 Pro that we are aware of. CAUTION: Microsoft's fix and this fix may not be compatible. Be prepared to REMOVE this patch before installing the Microsoft fix, when it becomes available. (This may be an issue with individuals who's machines update automatically, which is the recommended configuration for Windows Update.)
Note that unlike the solution below for Windows XP / 2003, this patch does NOT disable the ability to view or use WMF files.
To download the patch, go to:
http://www.hexblog.com/2005/12/wmf_vuln.html
There is also an MSI version of the patch, for system administrators.
Download from: http://users.utu.fi/vpjsuu/wmfhotfix/
   This patch is now being updated very frequently, and will continue to evolve as it is tested and rewritten to support more systems and configurations. Keep in touch with the page where you downloaded your copy of the patch from to be aware of any problems found.
   To remove the patch once it has been installed, go to:
Control Panel>Add Remove Software>"Windows WMF Metafile Vulnerability HotFix" (Eventually Microsoft will have an "Official" fix.)
There is a known incompatibility with "Yahoo antispyware" that detects this patch as spyware, but does not remove it automatically.
NOTE: SoftProse Technology Inc. is not installing this patch on client computers, preferring instead to wait for the Windows Update service to install a solution automatically on our few clients who still have machines running Windows 2000 Professional. For our Windows XP users, we suggest the original fix, being the removal of WMF support from Windows XP / 2003 as outlined below.
   However, if you surf the web with a Windows 2000 computer we STRONGLY recommend that you consider installing this patch immediately, with all the caveats mentioned above and reading completely the text on the website from where you download the patch - READ THE DIRECTIONS!)

12/29/05
The *.WMF Vulnerability is very serious.
   This is an urgent advisory of a real-life threat to all Windows computers.
   The Windows Metafile Format (*.WMF) image format, developed by Microsoft, has been shown to have a critical flaw that allows ALL VARIANTS of Windows computers after and including Windows 98 to be taken over by criminals SIMPLY BY VIEWING images on a web page or images contained in Email- Including preview.
   The WMF vulnerability is not a virus in itself- it is, instead, known as an "Exploit", or a pathway that a Virus (or spyware, or any number of malware variants) can use to be inserted into a computer. Unfortunately, the bad guys found this security hole before the "white hats" got involved, so this problem is already showing up on user's computers.

   This is a SEVERE problem, that is already being exploited for commercial and criminal gain. The spyware program "Winhound" is the most common, and prominent, example using this security hole, but many other programs have been found that are taking advantage of it. Many of these programs use stealth techniques to hide on your PC, and record keystrokes, logins, credit card, and all sorts of other information of interest to criminal enterprises.
   Other commercial programs using this security hole include Winfixer and AVGold. There will probably be many more…

   Although Winhound is a very busy, obvious, and obnoxious infestation, it is not the worst- the worst infestation is that which you do not know about. There is no defense currently available for this problem, and fully-patched systems are being infected. No current antivirus software is defending against this threat. As there is a direct financial incentive, the number and variety of softwares using this security flaw are expanding exponentially in number.

   This has the capacity of being the single greatest security threat ever discovered. The number of machines that are vulnerable include every single Windows computer in the world. There is currently no organized defense. The number and variety of attacks are quite large, and they are not being addressed at this time by security products.

   The infected pictures DO NOT NECESSARILY have a *.WMF extension! WMF files will execute just fine if they are called *.gif, *.jpg, *.bmp, and other names! ANY GRAPHIC FILE can conceal the infection.

IF YOU ARE INFECTED, the standard solutions may apply:
   SpyBot Search & Destroy, in the current version 1.4, has been somewhat effective against WinHound.
See: www.safer-networking.org/
We maintain a page on SpyBot SD, with a custom PDF guide and information on how it can be set with a command line to run automatically every day. See our Spyware & Adware page.
   AdAware and Microsoft AntiSpyware are both possible resources for an infection, although they have not been particularly strong against the versions of WinHound that we have encountered.
For AdAware, see: http://www.lavasoftusa.com/
For Microsoft AntiSpyware, see:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

   Insuring that your AntiVirus is current and up to date is quite critical, along with running periodic Scans. These scans are optional. Users may wish to run manual scans of their system, after updating their antivirus. Note that currently NO anti-virus program is offering a full defense. The partial defenses that they can offer are being built on an hourly basis.

Please Note: The worst infestations are those you do not know about. It is entirely possible for your machine to become a "zombie" client of some Eastern European or Asian organized crime gang without you knowing anything about it. The days of clumsy amateur software are OVER in this business- This is professional, international, and closely focused on an increasingly valuable bottom line. There is big money in Cybercrime; please be careful.
   A "key logger" program on your computer can record all credit card numbers, all passwords, all login data. This is an increasingly common security threat for individuals or organizations of any size.

THE ONLY CURRENT "FIX" is to disable the primary vector for Windows Metafile Format (WMF) support.
The below "FIX" will only work on:
Windows XP Service Pack 1; Windows XP Service Pack 2;
Windows Server 2003; and Windows Server 2003 Service Pack 1

   It does not appear to be currently possible to disable all variants of WMF support. However, the primary software tool used by Windows XP and 2003 Server for working with WMF files are the core software libraries for the "Windows Picture and Fax Viewer", which can be disabled. This should have the effect of making it impossible for your computer to view WMF files. However, this change may have UNEXPECTED problems with other software. However, it is the only practical defense at this point in time, and is STRONGLY recommended.
   The below fix involves serious changes. Be aware that this removes the primary means of support for WMF files, which may cause some graphics programs to either not run or demonstrate eccentric behavior. But we really suggest you do this, as described below.
   Note that Maintenance clients of SoftProse Technology, Inc. have had this code added to their login routine in two batch files, wmf_off.bat (and wmf_on.bat). There will be confirmation dialogs for these changes. DOWNLOAD a zip file with these batch files for your own system here.

Below was originally suggested by MICROSOFT,
who now seems to be formulating a different response.
(SEE: http://www.kb.cert.org/vuls/id/181038)

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type
"regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with
"regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).

What if I have Windows 2000, or Windows 98 or ME?
What if you cannot disable WMF support?
What can you do to defend yourself? Four Suggestions:

1) Don't use Internet Explorer for surfing the Internet.
Internet Explorer has been broken for years; there is and has been no security from your computer being taken over. Instead of IE, download and install the latest version of FireFox, currently at Version 1.5:
http://www.mozilla.com/firefox/
   Set FireFox to be your default browser. You have to either answer a confirmation dialog or download the image to be infected with FireFox. (Internet Explorer users have NO defense.)
   Note that FireFox will not fully protect you- BUT users will have to click a confirmation dialog or accept a download before they can become infected! DON'T ACCEPT ANY CONFIRMATION DIALOG OR DOWNLOAD ANYTHING unless you know EXACTLY what you are accepting into your computer!

2) Remove all "toolbars" from your computer- Google, Yahoo, etc. Also remove all third-party "Search" tools.
   This advice may be a little draconian, but we stand by it. (We never liked toolbars, anyway.) This is a real issue, as the Google toolbar in particular will INDEX ALL WMF files on your computer automatically- and this process will EXECUTE the code contained in these WMF files! So if you have Google Toolbar installed, and your Email downloads one of these pictures, it may execute EVEN IF YOU DON'T LOOK AT IT, thanks to the Google indexing process. We are not sure what all the other toolbars do that may be similar- but do you really need them? Don't take the chance.

3) Be CAREFUL with Email!
Email places us all at risk. The WMF Exploit is a major challenge for all Email users. The extent and nature of the infection process is still not fully understood, and any advice here will probably need the assistance of an update to the programs involved.

FOR ALL EMAIL USERS:
   Be especially aggressive in deleting Emails from strangers.
   DON'T OPEN ANYTHING if you don't know where it is from.
   JUST KILL IT. Suppress your natural curiosity.

For Outlook Users:
   View Menu>Preview Pane - Turn it OFF.
   Consider switching to the free version of Eudora, which has better controls over graphics. (See below.) http://www.eudora.com/

For Eudora Users:
   Go to Tools>Options>Display.
   Remove the checks for:
      Automatically download HTML graphics
      Display graphics in messages

4) Set your machine to receive Windows Updates automatically.
In a world where attacks can occur in hours, the Microsoft automatic update function "Windows Update" (Requires Internet Explorer) has become increasingly important to protecting your computer. Most computers managed by SoftProse Technology, Inc. are set to automatically download and install updates from Microsoft. If you have not configured your machine this way yet, please consider this as an important defense in an increasingly dangerous Internet-enabled world.
Note that the new Microsoft Update offers more features (Office software updates are included), but requires that Microsoft "certify" that your installation of Windows is "genuine" and not a bootleg copy. For most users, this should be a simple test to pass successfully. If for whatever reason your machine fails this test, please consider re-installing or upgrading to a legal copy of Windows. Be aware that Microsoft makes Microsoft Update an optional feature today, but soon may make it a requirement.
See: http://update.microsoft.com/microsoftupdate
(Requires Internet Explorer)

(NOTE: Like Linux, you can also create a limited login on your PC that will deny the ability to install software or to write files to system folders. (In Windows XP, this is actually called a "Limited Account".) Using the PC with a restriction such as this should stop most "malware" from installing itself and taking over your computer. A Windows computer can have more than one login. A separate Administrator login would have full rights but would only be used for PC maintenance. Most users would dislike this system intensely, but we are slowly getting used to this as a standard method for using, and defending, Windows computers. This is not a total defense- But may help in some scenarios, such as with this problem.)

For more info on the WMF vulnerability:

http://www.f-secure.com/weblog/

http://www.kb.cert.org/vuls/id/181038

http://www.microsoft.com/technet/security/advisory/912840.mspx

http://searchsecurity.techtarget.com/originalContent/
   0,289142,sid14_gci1154914,00.html

http://blogs.zdnet.com/Spyware/index.php?p=734

Last Modified on: 12/29/2005

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con

Virus Defenses  Anti-Virus Proposal  Virus Alert  Virus Hoax?  Free Anti-Virus  Spyware & Adware  Phishing- Email Con