Whistle from eatpoo gave me a heads up on this and I felt I should tell you guys here as well.

WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too. (In fact, user Blue Reptile has already been permabanned for putting the exploit in his signature.)

WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.

more info: http://www.metafilter.com/mefi/47964

This is a pretty serious danger, over at eatpoo I've suggested that we disable all image posting until microsoft releases a patch, but we've not decided anything yet.

also the reason I'm not PM'ing this to a moderator or admin is because I don't know who they are on CA. sorry.

http://img377.imageshack.us/img377/9509/haxor8gw5hn.jpg

Advocate, that was one of the funniest things I've seen in a while.

Haha

Thanks for the heads up, but it's already been discussed here.

You suggested they disable all image posting at Eatpoo? Have they eaten you alive yet?

That's weird, I did a search for it and nothing showed up, but I see the topic now. It seem to not have gotten much attention.
I just want to stress again how malicious this is, it's nothing like CLICK HERE FOR LARGER PENIS, you don't even have to see the image. It can be hidden pretty much in anything as long as it gets loaded by ie or even just your file browser in windows.



and no they haven't eaten me alive, seeing as how I am an admin there ;)

Dear God no!!!

And what, pray tell, does this dread menace do after infecting our precious computers? It doesn't sign me up for a subscription to "The Watchtower" does it? Nooooo!

If you all need me I'll be hiding under my bed till "computering" is safe again.

Ah yeah, heard of this, apparently extremely old, it's been done years ago but no real problems.

and no they haven't eaten me alive, seeing as how I am an admin there ;)

But... but you suggested they disable image posting. On Eatpoo!

Aaaarrrggg! Computer infected... Much pain.... Nooo!, it's forcing me to watch "Full House" reruns... Bob Sacket!...(Gasp! Insert sounds of slow painful death here)

Thanks Noodle!

Was that hard to do gentlemen? seriously...

This is one of the more serious exploits that came out just last week.

Thanks for being conscientious enough to post this Noodle!

As for you other assholes, that's great that you slam someone looking out for you. :yayca:

For those that actually want more info on this you can visit f-secure's site http://www.f-secure.com/zero-day/, if you dig around a bit they provide a list of domains that you might want to block if you have the ability to do so.

my laptop actually got busted by this malware a few nights ago ---- I've since been able to clear things up, but it affected my Norton anti-virus 'repair' functions and I haven't been able to properly re-install the program.
Now I have a constant WARNING popin from the windows-update that directly links to the malware ... so's i can't click that, and it gets in the way of my doodling...

.sucks balls.

Groover, I'm just joking, not trying to be an ass. Sorry.

Seriosly though, what does this thing do? and how do you protect yourself?

how do you protect yourself?

By turning to the Dark Side.

http://pics.computerbase.de/artikel/469/25_m.jpg

No, anything but that. (Sob, whimper) I have to use those horrible things at my day job.

From what I've read it requires very little interaction. Everyone needs to be careful with .wmf files. Most of the infected files have this extension. It seems all it takes is viewing a bad file with your browser or windows fax and picture viewer. Mozilla/Firefox should give you a prompt, I'm not sure about IE.

My antivirus program succeeded in blocking one attempt to open this when I visited a torrent site.

So far (like Sammy says) infected windows machines usually will have a fake antivirus prompt installed on the taskbar.

By turning to the Dark Side.

http://pics.computerbase.de/artikel/469/25_m.jpg


no thanks...i like having software for my computer...and games.


:)

I'm so glad I don't use a windows machine. Thank God for Steve Jobs and his wonderful little machine! :P

no thanks...i like having software for my computer...and games.


:)

LOL! My sentiment exactly. Same goes for this:

http://www.michael-prokop.at/images/tux.png

Not to go completley off topic, but just had the power supply go out on one of our macs. Apple would not sell us a replacement, they forced us to have some tech come out and replace it. $300 and something bill and two days of downtime.

Burnt up my power supply at home, went to circuit city they had a wall full of replacements for less than $100. Replaced it myself took about an hour including the drive.

Apple should just make iPods, those things are nifty.

F**kin ell, I can see another Pc's better Mac's debate coming on. Seen a few too many thousand of these :S

Hey! I was just hit with the "Amish Computer Virus!" This was the message:You have just received the Amish virus. Since we have no electricity or computers, you are on the honor system. Please delete all of your files on your hard drive. Then forward this message to everyone in your address book. We thank thee.:P

I got that same virus, but it also told to get rid of all my buttons, wear black, and it kept calling me "english" for some reason.

http://www.hexblog.com/index.html

For unofficial patch.

FAQ

# What operating systems are supported?

The fix is known to work on Windows 2000, XP (SP1 and SP2), XP64, Windows 2003. It does not work on Windows 98, ME, NT. The impact of the vulneratility for unsupported systems is small and they are not as vulnerable as 2000 and XP.

# How to install the hotfix on a single computer?

Just run wnffix_hexblog14.exe. If the fix happens to be incompatible with your system, it will inform you about it and quit. After a successful installation, REBOOT.

# How to install the hotfix on my network?

You can run the installer in the silent mode:

wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

There will be no dialog boxes on the screen and the installtion will be completely automatic.

# How to uninstall the hotfix?

The hotfix will be listed in the Add/Remove programs window and you can uninstall it from there.

# How to check that the hotfix is working on my computer?

Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.

# What does the hotfix exactly do?

The hotfix disables a vulnerable function in GDI32.DLL. It does not disable any other functionality: you will still be able to use the Fax & Puctire viewer and other programs. It does not alter any file on your computer, the modifications are done in the memory and will disappear as soon as the hotfix is unistalled and the computer is rebooted.

# How long should the hotfix stay on the computer?

The hotfix should be uninstalled from the computer after applying the official patch from Microsoft.

Thanks man! Will this work if my PC is already infected though?

Thanks man! Will this work if my PC is already infected though?

It will likely patch the vulnerability but do nothing else. So you'll have to remove the malware through other means, and as payloads vary, said malware may have done anything to your system including opening new holes.

gah my brother got infected on day 0 and i have to clean up after him. Spyaxe - nasty...

Damn it! I got PS guard....
Thanks for the help dude!
Edit: I got rid of the bastard! Thank f**k...

Tim

It will likely patch the vulnerability but do nothing else. So you'll have to remove the malware through other means, and as payloads vary, said malware may have done anything to your system including opening new holes.

gah my brother got infected on day 0 and i have to clean up after him. Spyaxe - nasty...

any tips on getting rid of that spyaxe? --- it still runs rampant on my laptop, i've been disabling "system restore" but it still comes back from the grave after a cleanup.....

since it has corrupted my norton install --- I can't restart my computer to repair/deleat the bastard.

MS got round to posting a malware removal thingy. I dled it but haven't restarted yet to see if it works.

The official microsoft patch was released yesterday afternoon.

Linkzorzs ?

Linkzorzs ?

www.windowsupdate.com

If auto update is enabled, you should have it by now.