IT Excuse Generator

Add to Google

January 02, 2006

WMF exploits show the weaknesses OR why you shouldn't use a free anti-virus


All versions of Microsoft Windows including Windows 98, ME, NT, 2000, and XP are known to be vulnerable to a flaw in Windows' handling of WMF graphics files. There are already hundreds (and still growing) malicious variants that utilize this vulnerability circulating in the wild. These variants are being used to install all types of malware (spyware, Trojans, worms, rootkits, IRCBots, file servers, and spam relays.)

You can be infected simply by viewing any web page that contains a malformed WMF graphic or by opening an e-mail with one present in it! Someone can include one of these graphics in their signature on a message board or they can be placed on trusted sites by malicious users in other ways. Worms are also spreading these malformed images over Instant Messaging. In cases of e-mail, note that it doesn't have to be an attachment that has to be manually downloaded or clicked on, just opening the e-mail with one can infect you.

eWeek has published an interesting analysis of how Anti-Virus companies have responded to this problem:

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 eTrust-VET
* 62 QuickHeal
* 61 AntiVir
* 61 Dr Web
* 61 Kaspersky
* 60 AVG
* 19 Command
* 19 F-Prot
* 11 Ewido
* 7 eSafe
* 7 eTrust-INO
* 6 Ikarus
* 6 VBA32
* 0 Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

For years I've griped about all the free anti-virus solutions and how they over and over fail to protect their users from new viruses in the wild. These programs simply do not check for updates often enough or their authors don't provide updated definitions quickly enough. In the meantime their users are woefully unprotected.

You see, an anti-virus program is only as good as its definitions. The definitions tell the anti-virus what to look for in a file to determine if its malicious or not. There is no magic to them, they're simply searching for a string of words or characters that's present in the virus. Without new definitions the anti-virus is useless! (By the way, don't anyone bother mentioning Heuristics; they're not anywhere close to a fail-safe solution as they're just looking for minor variations of the original string or method of infection.)

If you're using one of the anti-virus programs in the first list you are somewhat protected. But if you are using one of the anti-virus programs on the second list you might as well move your computer to your front sidewalk because you'd have a better chance that someone walking by wouldn't install something nasty or outright steal the computer.

This entire situation also just goes to show the absolute ineptitude of Microsoft and their inability to quickly provide a working fix to keep their products safe. As of this writing, Microsoft's so called fix, still leaves you vulnerable. But, thank goodness for people like Ilfak Guilfanov and Steve Gibson. Steve has written in detail about the WMF exploit and also posted a link to a program by Ilfak Guilfanov that temporarily fixes it.

In conclusion, if you're not running one of the anti-virus programs in the first list I strongly urge you to purchase one. (But, I absolutely don't recommend McAfee or any product by Symantec.) If you haven't been infected by this its only because your anti-virus has been doing its job or you've been very lucky. Nod32 by Eset is what I use. (Eset is very quick to release new definitions and it checks for updates hourly. It also utilizes very few system resources and memory so it won't slow down even the oldest/slowest system.)

UPDATE: Microsoft has finally gotten off their duff and released an official fix or you can download it and other critical and important security patches from Microsoft Update.
IMPORTANT: Be sure to uninstall Ilfak Guilfanov's temporary hotfix using Add/Remove programs and reboot before applying Microsoft's patch. Before updating you should also reregister the service if you removed it previously.

Posted in Computing & Tech News , Microsoft & Windows by usrbingeek at 2006-01-02 20:49 ET (GMT-5) | 3 Comments | Permalink


I believe you mean "griped", not "gripped"... in my humble opinion.

ClamAV, the antivirus poster child of the open source community, is very dependable. Has been for around 5 years. You'll notice it's on the first list, and it's free. I think one compromise in the "dont use if it's free" rule is ok, considering the major compromise you've suggested in not using McAfee/Symantec... major antivirus programs that boast all the strengths of a healthy corporate backing.

Posted by: Justin Walters at January 3, 2006 11:43 AM


Oops. stupid typo. Thanks for bringing that to my attention.

I wasn't aware of ClamAV or that its free. I'll have to look into that one and how it has done in the past.

I meant to mention in the article why I don't recommend McAfee and Symantec but I must have forgot.

While McAfee is typically always on top of new virus in the wild, their solution utilizes more memory and resources than it should and can tax even some faster systems. A lot of virus also specifically target it upon infection and disable it quite easily.

In my opinion, all Symantec products are a steaming pile of crap. They're all bloated with useless features that we're added only to look good on a box and as to help justify a new version number. Users having the perception, newer is better, will believe they *must* upgrade. But in fact, these new versions don't offer any real world benefit. They only accomplish in using more memory and CPU cycles and opening memory leaks. Additionally, should you ever need to uninstall the P.O.S. you can never get rid of all of it automatically because Symantec can't seem to even program a simple uninstaller to work as it should. You're left with dozens of registry calls some of which create cryptic error messages that confuse novice users and it also fails to uninstall some automatically running services. These continue to load and use up memory, cause system slow downs and/or crashes. In every area Symantec operates there are much better solutions out there, typically at a lower price point too.

Its baffling that Corporate IT departments don't try to fight management and take steps to move their company away from them. If it wasn't for Symantec's positive perception and name recognition among management (who are novice computer users) you wouldn't see many companies sticking with their inferior products.


Posted by: usrbingeek at January 3, 2006 12:46 PM

I would also like to point out that Avast by Alwil Software (the first program on your list) is a free program for home users.

Posted by: George at January 15, 2006 03:07 AM

This web site is provided "as is" with no representations or warranties, and confer no rights. We are not liable for omissions or typographical errors contained in the content. Use at your sole risk.
The opinions expressed here do not necessarily represent any other entity or party we may have a connection or affiliation with.
usrbingeek, usr bin geek,, #!/usr/bin/geek are trademarks of usrbingeek LLC. All other trademarks and tradenames are property of their respective owners.