|Lost of great info here
Last Updated: 2006-01-04 20:40:11 UTC by Kyle Haugsness (Version: 1)
Are you ready to battle a large virus/worm outbreak? Please don’t view
this is a prediction that there will be a large event, but let me just
say that conditions are right for a big storm (WMF issue and the return
of the Sober worm).Regarding the WMF issue, you have probably decided to either wait for
the official Microsoft patch, or you are rolling out Ilfak’s patch. But
there is still about 6-10 days of risk here for a major worldwide event.
So here are some recommendations for preparing for the battle. (This is
primarily written for system and network admins…)Prepare a short briefing for management on the situation:
1) There is a serious vulnerability in Microsoft operating systems.
2) An official patch will not be available from Microsoft until Jan. 10.
3) There are multiple propogation vectors: e-mail, instant messaging, web
4) Several different versions of the exploit are in the wild and are
being actively used by criminal groups. All propogation methods are
being used. As of Wednesday, Jan 4 20:15:00 UTC, our current poll
indicates that 22% of respondents (340) have seen exploit attempts
through one of the exploitation vectors.
5) Tools to generate random files to exploit the vulnerability are
publicly available. These tools may be used to evade anti-virus and
6) Anti-virus signatures and intrusion detection/prevention system
signatures may only be able to catch the first generation of exploits.
7) If an outbreak does occur, how are you going to sanitize laptops that
were infected outside of your network before allowing them to connect
to your internal network?As you provide this information, you should also provide an action plan
for mitigating damage in the worst case scenario. You should consider
the following action items in your plan. Also consider that your
organization may have no internal infections, but that the rest of the
Internet is having problems. Solicit input from your management on the
circumstances that would dictate each of the actions below.
1) Disconnect from the Internet.
You should take this time to validate that you have good backups of your
In a virus outbreak/worm event, communication between the operational
You can find much more information about incident response plans at the
Looks like renaming the dll temporarily is the only option now.
Handler’s Diary December 30th 2005
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)
One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:
- Filename extension filtering will not work.
- Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
- you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
- While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.
Handler on Duty
|WMF, day 2||Posted by Mikko @ 08:30 GMT|
Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
Microsoft’s bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.
They also list the REGSVR32 workaround. It’s a good idea to use this while waiting for a patch. To quote Microsoft’s bulletin:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll”
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.
We got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.
And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
So far, we’ve only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I’m afraid we’ll see real viruses using this soon.
Symantec has released a cleaning tool for the relatively new W32.Secefa family of worms. This new tool covers the following:
You can download this tool here: Symantec Security Response – W32.Secefa Removal Tool
Symantec has updated their Mytob removal tool to include the following:
To date, this tool covers the following
You can download this tool here: Symantec Security Response – W32.Mytob@mm Removal Tool
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team