My first check was to see if Avast web protection was working. Unfortunately, my avast installation did give no warning. Then I tried the e-mail check, where the online site is sending you an e-mail with an infected file, with jpg-extension. Even this was not discovered by my avast installation (I update my system before I mde the tests). I downloaded the file and did an explicit scan on the file. No result.
What is wrong with my avast installation that it misses files with the WMF exploit?
is there anybody else who can verify? If avast is not able to discover similar files, I’d like to know, because then I need to secure my system in another way.
So far I was really satisfied with avast, but knowing the limits of a program is neccessary to potect my system.
Maybe these benign signatures are not recognized.
I checked with the DrWeb hyperlink-pre-scanner both hyperlinks, and both came up clear. Notice that Avast have already 73 signatures for various varieties of the exploit. Else on this forum you can read how to block *.wmf in Avast and you put sources of infection into a blocklist, see: http://forum.avast.com/index.php?topic=18295.0
Verzeihung Sgt.Schumann, Ich war nur wenig spaeter. D.
if the demo-exploits on the heise web site are not discovered, I think it is very likely, that other, more threating exploits in the wild are not discovered either.
I doubt, that avast excludes “friendly” exploits which just demonstrate the possibilities. If a demonstration of an exploit is proven by such web sites like the heise web site, it just shows that other exploits may not be discovered by avast or other scanners. At work the mcafee scnner however discoverd the heise demonstration.
Maybe if you did download this exploit demo, you could try and upload this to Jotti.de or to VirusTotal, just to see what virusscanners detect it, as you say that some do. Would be interesting to know, ;D
just go to the heise web site, there you can download it. I did install in the meantime the (inoffical) path by Ilfak Guilfanov. This is tested by the Internet Storm Center (sans.org).
AntiVir 6.33.0.70 01.02.2006 no virus found
Avast 4.6.695.0 01.02.2006 no virus found
AVG 718 01.02.2006 no virus found
Avira 6.33.0.70 01.02.2006 no virus found
BitDefender 7.2 01.01.2006 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 01.02.2006 no virus found
ClamAV devel-20051123 01.02.2006 Exploit.WMF.Gen-3
DrWeb 4.33 01.02.2006 no virus found
eTrust-Iris 7.1.194.0 01.01.2006 no virus found
eTrust-Vet 12.4.1.0 01.01.2006 Win32/Worfo
Ewido 3.5 01.02.2006 no virus found
Fortinet 2.54.0.0 01.02.2006 W32/WMF!exploit
F-Prot 3.16c 01.02.2006 no virus found
Ikarus 0.2.59.0 01.02.2006 no virus found
Kaspersky 4.0.2.24 01.02.2006 Exploit.Win32.IMG-WMF
McAfee 4665 01.02.2006 Exploit-WMF
NOD32v2 1.1349 01.02.2006 probably a variant of Win32/Exploit.WMF
Norman 5.70.10 12.31.2006 no virus found
Panda 9.0.0.4 01.02.2006 Exploit/WMF
Sophos 4.01.0 01.02.2006 no virus found
Symantec 8.0 01.02.2006 no virus found
TheHacker 5.9.2.067 01.02.2006 Exploit/WMF
UNA 1.83 01.02.2006 no virus found
VBA32 3.10.5 01.01.2006 no virus found
Most of these detections are possible with generic signatures. Hopefully Alwil team will release something similar.
Welcome back tECHNODROME
You’re not being round for a while… :
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.
Welcome back tECHNODROME ;)
You're not being round for a while... ::)
As far I find in these forums, Alwil team does not intend (in a short period) to implement heuristic (generic) scanning.
The following was posted on the freedomlist.com
antiSPYWARE forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ here ).
There seem not to be a general consensus concerning what to do.
MS Security Advisory does not recommend this solution, but to use their dll unregister. The last version of the advisory(912840) says that an official patch is ready and that only testing remains. They hope it will be available in a week!
I have read a lot of the writings and decided not to run the unofficial patch.
No one knows what is the best thing to do, I think.
[b]hlecter wrote:[/b]
I can confirm that both the webshield and standard shield on my machine gives me a warning on said page.
The malware is named WMF Exploit.
I have to turn off the webshield to test the standard shield! Grin
The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.
Nice job done by avast having solved this issue fast.
Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questinonable to install software from “unknown” sources, but this patch was examined by sans.org and if youdon’t trust them, you could look at the source code yourself. Removing was painless and as far as I can tell it left nothing behind.
Of course I Trust Sans.org.
But MANY people have had problems with the unofficial patch.
So I was in doubt. But I decided to wait for the official patch.
I think about e.g. localication problems in my Norwegian version of XP. MS are making patches for 20+ languages.
Here is a bit from the advisory:
"
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.
As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.
Microsoft cannot provide similar assurance for independent third party security updates.
"
You are the first one who reports problems with that patch. I run a german XP Pro version at home and in the office in an Novell environment (Yes! No AD!) and have so far not experienced any problems (2 days). My colleagues installed it as well → no problems.
Of course MS recommends offical patches but waiting until the offical patch day next week to supply a patch for a real dangerous exploit is in my opinion more than irresponsible. The unoffical patch only shows, how fast a feasible solution can be accomplished by just ONE programmer! MS for sure has more than one experienced programmers. This unoffical path shines a bad light on MS, in my opinion.
Additional, this patch show how fast the free community can come up with solutions!
No, this detection is really a generic detection of the “exploit” itself - the previous detections (Win32:Exdown) were removed from the database.
I like that statement ;D
I mean, the author’s name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org’s in the world.
