Microsoft has issued a Security
Advisory (912840) concerning the recent WMF vulnerability exploit. Microsoft
also confirmed the REGSVR32 workaround as a viable solution to protect your PC
until they have had time to fully research the vulnerability and issue a patch. The following is a quote from the Microsoft Security Advisory.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type " regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll” (without the quotation marks).
Antivirus and Security Experts at F-Secure advise that this method is more secure than simply filtering WMF content, as many types of image files (.GIF, .BMP, .JPG, .TIF, etc...) could be used in this exploit. F-Secure warns that to date they have only experienced spyware and fake antispyware / antivirus installations with this exploit but that more serious infections may be coming soon.
View: F-Secure WMF Vulnerability Update
News source: Microsoft Security Advisory 912840
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type " regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll” (without the quotation marks).
Antivirus and Security Experts at F-Secure advise that this method is more secure than simply filtering WMF content, as many types of image files (.GIF, .BMP, .JPG, .TIF, etc...) could be used in this exploit. F-Secure warns that to date they have only experienced spyware and fake antispyware / antivirus installations with this exploit but that more serious infections may be coming soon.

edit: eh... the slashes didnt come out in my post, how does that work?
EDIT2: Wooaa the HTML parser really doesnt like slashes in here!
Last edited by TomAL on 29 Dec 2005 - 16:08
Hopefully those slashes will show up...
Last edited by briley on 29 Dec 2005 - 16:06
thanks neowin
For those who, like me, where wondering:
WMF = windows meta file
and how are so many peopple getting the virus
isnt it just certain websites that spread it?
and can windows 2003 server users get this virus?
Edit: Ack, posted as my Dad rather than myself (this is Shane, I'm at my parents house).
Read the security advisory...mmmkay?!?!
It's an image format, and I've always heard it was "Windows Media Format" or something like that - basically a Windows Media image file (as opposed to audio or video).
I did unregister the Microsoft DLL, but I still get WMF preview. Checking HKEY_CLASSES_ROOT.wmf shows Nero Digital has also installed a handler. How do I get rid of that?
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll” (without the quotation marks).
Last edited by #13 dragonfixed on 30 Dec 2005 - 04:10
I can tell you now that you dont want to get this spyware/adware/malware crap that it puts on your system, I spent hours trying to remove it and ended up reinstalling Windows.
regsvr32 -u %windir%system32shimgvw.dll
regsvr32 %windir%system32shimgvw.dll
According to SANS Internet Storm Center, you need to actually delete/rename SHIMGVW.DLL to prevent it being re-registered by other programs. That's all very nice, but under Win XP we have the wondrous thing called Windows File Protection. In other words, as soon as I delete the DLL, it re-appears (similar to IEXPLORE.EXE if you've ever tried that one).
So, how do you get round that? I have spotted some pages referring to doing a regedit plus hex-editing another system DLL (SFC_OS.DLL) and have tried this approach, but it doesn't work for me. Can anyone explain a confirmed way to prevent the replacing of WFP-protected files?
However, a malicious CMD script could do anything the user could do. So really I don't see that as a risk since running a CMD file requires user interaction.
If you run as a non-admin user, you won't be ablt to unregister or re-register the DLL. So once again, running non-admin makes you far more secure.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.
Finity v5 Theme © 2008 Neowin.net · Credits
About Us · Privacy Statement · Advertising