Re: any script to find renamed wmf files?

On Mon, 02 Jan 2006 12:04:00 -0800, MSG wrote:

>
> ~greg wrote:
>> found a description of Microsoft Windows Metafile format. here:
>>
>> http://www.whisqu.se/per/docs/wmf.htm
>>
>>
>> However I don't know exactly what shimgvw.dll (or gdi32.dll, or whatever
>> else is inovlved) is looking for that makes it decide
>> that a .jpg or .gif is really a .wmf, and then "run" it.
>>
>>
>> ------------------------------------------
>>
>>
>> "~greg" <g_m@xxxxxxxxxxxxxxxxxx> wrote in message
>> news:ZNSdnXTr08wzwCTeRVn-jw@xxxxxxxxxxxxxx
>> >
>> > A whole lot of people right now, running Windows, need a script to
>> > check all the image files already on their hard drives to see if any
>> > of them are actually renamed .wmf files.
>> >
>> > It should be trivial to write this,
>> > -if you know what to look for in the files.
>> >
>> > Unfortunately, I don't.
>> >
>> > ~
>> >
>> > (i ask this here, because perl is my preferred language, and because i
>> > think perl users in general may be more familiar with looking inside
>> > files to determine actual file type (?))
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
> I am afraid that you have completely missed the point of this whole wmf
> issue:
> Your existing wmf files are ok if your Windows has not already been
> infected. The bad ones come from outside. So the work-around never calls
> for renaming files. Instead you unregister the dll file. Perl won't help
> you for that matter.

Ive read today that unregistering what was thought to be the guilty dll
wont save you, and another is under suspicion (gotta love closed source,
feeling round in the dark trying to figure out which file is making you
vulnerable)

http://www.viruslist.com/en/weblog?discuss=176892530&return=1
Going back to the wmf vulnerability itself, we see number of sites mention that
shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll
has been unregistered and deleted. The vulnerability seems to be in
gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack
scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers
seems significantly smaller than that of explorer+third party programs.



--
<Overfiend> penis jokes are okay in mixed company. VMS is NOT!!!

.

Quantcast