why? :
There's a brand new exploit found in Windows/IE's image renderer. A malformed WMF image can run any code it likes on your computer if manipulated.
Symantec response
To put it simply, if you use Windows, you're at risk.
If you're using IE, even loading an infected image can infect you.
If you're using another browser, you're safe from immeadiate infection, but be warned that the image may still exist in your browsers cache.
Any manipulation of an infected image will result in infection. This includes viewing it, allowing Windows to thumbnail it, or even opening the folder it resides in! Exercise extreme caution.
HOW TO FIX IT
Update your virus protection. If you don't have one installed, NOD32 Trial Edition with the latest definitions will stop it before it can cause damage.
Stop using IE if at all possible.
Note that Google Desktop Search WILL TRIGGER the exploit if it tries to scan an infected image. Disable Google Desktop Search.
The following methods are untested and MAY cause damage to your system. No responsibility is taken for any damage caused.
Disable the built-in Windows component responsible for viewing WMF files. Go to Start - Run, and type
Code: Select all
regsvr32 /u shimgvw.dllYou can re-enable this by using
Code: Select all
regsvr32 shimgvw.dllR1CH of the Something Awful forums has come up with an UNOFFICIAL PATCH.
Here's a patched GDI32 (well, not quite a patch, just a workaround so it isn't possible to jump to arbitrary code). Since GDI32.DLL is constantly in use by Windows, you'll need to find your own tricks to install it. Try closing all apps, running task manager, killing explorer, run cmd prompt (from task manager), close task manager and then replace GDI32.DLL from the cmd prompt. Type 'explorer' to restart the desktop.
Possible alternative install method: rename gdi32.dll to gdi32.old, extract patched version, reboot.
Use ONLY on a fully patched XP SP2 install. If your gdi32.dll 'file version' (right click, properties) isn't '5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)' or SHA-1 hash fa02573ce6239d1c375db93058810fb968390485 then DON'T use this!
<a href="http://r-1.ch/gdi32.zip" target="_blank">http://r-1.ch/gdi32.zip</a>
Ok. Attempt 2. Again, this is ONLY for Windows XP SP2 fully patched systems, with gdi32.dll file version "5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)" and SHA-1 hash fa02573ce6239d1c375db93058810fb968390485.
1. Download http://r-1.ch/gdi32.zip
2. Extract to windows/system32/dllcache. Yes to overwrite.
3. Rename windows/system32/gdi32.dll to gdi32.old
4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/
5. Reboot.
Press "Cancel" to any Windows File Protection prompts.
)
)