The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – Preparing for Battle

  Lost of great info here

Preparing for Battle (NEW)

Published: 2006-01-04,
Last Updated: 2006-01-04 20:40:11 UTC by Kyle Haugsness (Version: 1)
Are you ready to battle a large virus/worm outbreak? Please don’t view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak’s patch. But
there is still about 6-10 days of risk here for a major worldwide event.
So here are some recommendations for preparing for the battle. (This is
primarily written for system and network admins…)Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
surfing, etc.
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups. All propogation methods are
being used. As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available. These tools may be used to evade anti-virus and
IDS/IPS signatures.
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?As you provide this information, you should also provide an action plan
for mitigating damage in the worst case scenario. You should consider
the following action items in your plan. Also consider that your
organization may have no internal infections, but that the rest of the
Internet is having problems. Solicit input from your management on the
circumstances that would dictate each of the actions below.

1) Disconnect from the Internet.
2) Disconnect specific services from the Internet. Talk with your
network/firewall admins and have them be prepared to shut-off specific
services (SMTP or HTTP) at strategic locations.
3) If you have multiple locations, consider the action plan of
disconnecting internal WAN pipes to minimize damage to other parts of
your organization.
4) Disconnect internal and/or external e-mail servers to prevent further
5) If you plan to perform any of the above actions, then you should also
plan on how to bring these sites/services back online.
6) Determine an action plan for local workstation admins. How are they
going to receive virus updates and virus removal tools to clean

You should take this time to validate that you have good backups of your
e-mail servers. If things go really badly, you may be restoring from
backup. You should also make sure that everyone that could be involved
in the incident response has an updated contact list (cell phones,
pagers, home phones, etc) for all of the appropriate operational
personnel. Remember that some of these communication methods may fail
during a virus outbreak. Finally, you should identify secondary
Internet access (maybe dial-up) to download virus updates, IDS/IPS
updates, or get latest news about the event.

In a virus outbreak/worm event, communication between the operational
folks and management is critical. Make sure that there is a clear
understanding of when/how to shut-off services and when/how to turn them
back on. Communication to end-users is also critical and you may want
to start informing them now that the next 6-10 days could be very
difficult times.

You can find much more information about incident response plans at the
following sites:


January 4, 2006 Posted by | Security News, Virus Removal Tools | Leave a comment

SANS – Internet Storm Center – Musings and More WMF Information – Urgent Updated Info

Looks like renaming the dll temporarily is the only option now.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)
Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.

The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

Scott Fendley
Handler on Duty

December 30, 2005 Posted by | Security News, Virus Removal Tools | Leave a comment

F-Secure : News from the Lab – WMF, day 2

F-Secure : News from the Lab – WMF, day 2

WMF, day 2 Posted by Mikko @ 08:30 GMT

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:

Microsoft’s bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It’s a good idea to use this while waiting for a patch. To quote Microsoft’s bulletin:

 Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

 1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll”
 (without the quotation marks), and then click OK.

 2. A dialog box appears to confirm that the un-registration process has succeeded.
 Click OK to close the dialog box.

 Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
 when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

 To undo this change, re-register Shimgvw.dll by following the above steps.
 Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

iframecash - don't visit the siteWe got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.


So far, we’ve only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I’m afraid we’ll see real viruses using this soon.

December 29, 2005 Posted by | Antivirus News, Security News, Virus Removal Tools | Leave a comment

Symantec Security Response – W32.Secefa Removal Tool

Symantec has released a cleaning tool for the relatively new W32.Secefa family of worms.  This new tool covers the following:

  • W32.Secefa.A
  • W32.Secefa.B
  • W32.Secefa.C
  • Trojan.Gamqowi
  • You can download this tool here: Symantec Security Response – W32.Secefa Removal Tool


    December 5, 2005 Posted by | Virus Removal Tools | Leave a comment

    Symantec Security Response – W32.Mytob@mm Removal Tool – Updated 11/30/05

    Symantec has updated their Mytob removal tool to include the following:

  • November 29, 2005: Published version 1.33.0, which supports removal of minor variants of W32.Mytob@mm.
  • November 22, 2005: Published version 1.32.0, which supports removal of W32.Mytob.MC@mm.
  • November 2, 2005: Published version 1.30.0, which supports removal of W32.Mytob.LO@mm.

    To date, this tool covers the following

    You can download this tool here: Symantec Security Response – W32.Mytob@mm Removal Tool


  • December 5, 2005 Posted by | Virus Removal Tools | Leave a comment