WMF Vulnerability Checker

It seems that many users installed the hotfix for the WMF vulnerability on their machines.


The fix was first mentioned by F-Secure in their useful blog
http://www.f-secure.com/weblog
and its technical details were explained in precise detail by Steve Gibson (Thanks, Steve!)
http://www.grc.com/groups/securitynow:423
However, there is no safe way to tell if your system is vulnerable. Here is a small utility to address this problem. You can download it from the following link:
http://www.hexblog.com/security/files/wmf_checker_hexblog.exe
When run, it displays this dialog box:

and then proceeds to testing.
If your system is vulnerable, you will see this dialog box:

and if your system is not vulnerable, another dialog box will be displayed:

Please note that when the second dialog box appears on the screen, it just means that this particular attack against your computer failed. There might be other attacks we are not aware of.
Do not use this check as a definite answer to the WMF vulnerability question. But if your system was vulnerable, it should be invulnerable after installing the hotfix and display the second dialog box. In other words you can use this checker as a means to verify that the hotfix is doing its job. One more word of caution: do not forget to reboot your computer after the installation. If you do not reboot it, the checker will tell you that the system is invulnerable while some system processes will still be.
I have tested the checker on XP SP2 and XP 64bit. If you try it on other machines, please let me know about the results.
Files: wmf_checker_hexblog.exe
wmf_checker_source.zip
UPDATE: New version which does not use a drop file. The checker is now small.

This entry was posted in Security. Bookmark the permalink.

63 Responses to WMF Vulnerability Checker

  1. Thank you for the tool, Ilfak! Thought I’d report some results.

    I tested this on two systems.

    System #1:

    • Windows XP Pro SP2
    • All Microsoft Windows Updates applied
    • Ilfak’s hotfix applied
    • SHIMGVW.DLL unregistered
    • Symantec AntiVirus Client 9.0.0.338, scan engine 51.3.0.11
    • Symantec Virus Definitions 2006-01-01 rev. 7

    System #2:

    • Windows 2000 SP4
    • Missing a few more recent Windows Updates
    • Ilfak’s hotfix NOT applied
    • SHIMGVW.DLL unregistred
    • Symantec AntiVirus Client 8.1.0.825, scan engine 4.2.0.7
    • Symantec Virus Definitions 2005-12-30 rev. 4

    In both cases, Symantec Antivirus intercepted the attack attempt as “Bloodhound.Exploit.56″ before the test succesfully completed, and while Symantec Antivirus displayed the Auto-Protect Scan Notification window, wmf_checker_hexblog.exe displayed an error message indicating that it was unable to open the metafile in the Local Settings\Temp folder.

    On the surface this appears to be a good thing for me, in that my systems appear to be secure — however my concern is that I may get a false sense of security from the Symantec AntiVirus detection.

    What precisely does wmf_checker_hexblog.exe do? Do you believe it likely, based on the fact that Symantec AntiVirus blocked this test, that it will block other more malicious attempts?

    Thank you for your tireless efforts on this. I eagerly await an MSI-based hotfix installation method so that I can deploy your patch via Active Directory.

    Keep up the incredible work!

  2. rm20010 says:

    Hi,
    After your tool dropped the ig139E.tmp file in the Temp folder, NOD32 intercepted it and detected as ‘probably a Win32/Exploit.WMF trojan’.

  3. Another test:
    * Windows 2000 SP4. Up to date with MS offical patches and fixes.
    * Ilfak’s hotfix applied
    * SHIMGVW.DLL unregistred
    * F-Prot with 01/01/06 virus definitions
    The program works fine under these conditions.
    Keep the good work, Ilfak ;)

  4. Hi and thanks for your tools. I appreciate your work very much. Here are my results:
    - Citrix MetaFrame1.8 on a Win2000 Advanced Server
    - SP4 with all hotfixes and sec rollups installed
    - Patch wmffix_hexblog13.exe installed, rebooted, OK
    - Tried running wmf_checker_hexblog.exe: First I see an dialogue box: ERROR: can not open metafile bla…bla…\igX.tmp, (X seems to increase with every attempt to run the tool), then Norman Virus Control gives me an alarm and sends me an alert message:
    ALARM:
    Virus infected:
    Virus name: ‘W32/Exploit.Gen’
    Should I really turn of the on-access scanner so I get a result from your tool, or is it sufficient to know that NVC detects this type of attack?
    all the best,
    Dietmar

  5. AdamB says:

    You asked for results on other systems so I tried an obscure option.
    Running it under wine on Suse 9.3 it runs fine and reports Not Vulnerable.

  6. Asking for help says:

    First of all, if you have Norton, when the checker is executed, Norton (updated) don´t allow it to continue (it shows . Finally the checker says it can´t work because it haven´t found the file needed. Maybe Norton protect now against this bug?
    On the other hand, I have problems because porn websites are opened if I connect to Internet I In Firefox they ask for opening a wmf file. The problem is I cannot do nothing to avoid the websites. I only can avoid openin the infected files (well, as I said Norton do it).
    Has anybody complained by a similar version of the bug?
    Sorry by my English, I´m Portuguese

  7. Dan Wright says:

    Download of your test program is blocked by SonicWall Gateway Anti-Virus as “WMF.A”
    I can also confirm that SAV 10 with the 12/30 rev.9 definitions blocks the checker from accessing the temp file.
    Dan

  8. Christian Charles says:

    System: Windows 98 SE
    Virusscanner: Norton Anti Virus 2001, Virusdefinitions 2005-12-31
    Ilfak’s Hotfix: NOT applied, Win98SE not supported
    SHIMGVW.DLL: NOT unregistered, does not exist on Win98SE
    -With activated onAccess Virusscan: same result as the first poster Shaun Crossley mentioned; NAV reports the Bloodhound.Exploit.56 infection and prevents wmf_checker_hexblog.exe from opening the file; wmf_checker_hexblog.exe show the appropriate error message.
    - Without activated OnAccess Scan: After I press OK on the first dialog, wmf_checker_hexblog.exe crashes without showing neither the “vulnerable” nor the “invulnerable” dialog boxes.
    IMHO this on the one hand supports the announcement, win98 is vulnerable, on the other hand it indicates the exploit code contained within wmf_tester.wmf, showing the “vulnerable” message box, does not work on win98.

  9. Les says:

    Norton Internet Security blocks download of your test program. The Norton Alert Assistant identifies the .exe file as an “HTTP Windows WMF Code Exec” attack.
    Good news, as this is the first evidence I’ve had that Norton is starting to harden the target.
    Installation of your 1.3 patch on a Win 2000 Pro SP4 system (fully patched) system was uneventful, but the patch is listed as “1.2″ in Add/Remove Programs.
    Add/Remove Programs identifies your 1.3 patch incorrectly as version 1.2, by the way. Thanks for all your work providing these tools. I second the motion that you put a PayPal button on your site.

  10. WMF vulnerability checker

    The same person that has given the New Year’s gift of an unofficial patch for the WMF exploit circulating has also provided a WMF vulnerability checker, download and install, it will tell if you’re vulnerable. Post is available here. Acco…

  11. M�s malware basado en vulnerabilidad WMF y parche no oficial

    Cualquiera dir�a que mi anterior entrada en el blog, aprovechando el payload de Happy99 para
    felicitar el nuevo a�o y recordando tener cuidado con las felicitaciones virtuales, era
    premonitoria. Pero la verdad es que no tiene ning�n m�rito, todos loswe…

  12. Doug Goss says:

    We are applying the patch to our corporate network as I type this.
    The wmf_checker_hexblog.exe file is showing the installs are sucessful so far. Is there any chance of a network scan to pick up machines that vulnerable?
    Thanks for the effort and expertise.
    Doug Goss

  13. ilfak says:

    This comment is here to mark the new version of the checker. The new version does not use a drop file and is much smaller.

  14. Christian Charles says:

    System: Windows 98 SE
    Virusscanner: Norton Anti Virus.
    Ilfak’s Hotfix: NOT applied, Win98SE not supported
    SHIMGVW.DLL: NOT unregistered, does not exist on Win98SE
    The new version of the checker does not trigger a virus message anymore. It, however, shows the “Your system seems to be invulnerable” dialog. This is strange since Win98 is assumed to be vulnerable.

  15. Anonymous says:

    If the program says ‘invulnerable’ then the attack failed – the exploit code was not executed for some reason.
    Who knows, it might be that Win98SE is invulnerable. I do not have this system here, nor gdi32.dll from it, so I can not tell anything with reasonable certainty.

  16. Frank Bulk says:

    It’s interesting to note that Microsoft’s own antivirus, bundled in the beta version of OneCare, does not detect the checker as a virus. My virus definitions are dated from today, January 1st.
    Reading
    http://www.windowsonecare.com/secinfo/wmf1228.aspx
    would suggest to a casual reader that OneCare protects computers from the WMF exploit, but all it says is that it protects against known malware, of which the WMF exploit is not one of them. Just the results. =(
    Frank

  17. Anonymous says:

    I think this requires a clarification:
    The WMF checker is written in a way to avoid any detection from AVs. This is quite normal and does not mean that your AV software is flawed. The fact is that you can not make any conclusions about your AV software based on the results.
    Use the results to judge only about the vulnerabilty. Your AV software does not make your system invulnerable. It works differently: protects your system against known malware.

  18. Bob Trevithick says:

    On my XP Home SP2 machine, your program worked fine and reported that I was protected.
    However, my NOD32 AV objected to the .zip file, warning that it was “probably a variant of Win32/Exploit.WMF trojan.”
    One thought for you. From the page it appears that if one is not protected the message one receives is a window labeled “Error.” I feel this is confusing. There is probably no error.. your program is probably *correctly* reporting that the machine is vulnerable. A minor point, I know…
    Great work!! Thank you!!!
    Bob

  19. Joshy says:

    Thanks! for your work, is there any large network support for deployment?

  20. Wmf Vulnerability Checker

    Not only has Ilfak Guilfanov released a patch for this vulnerability, but he also created a program that will let you know if your computer is vulnerable. You can find information about this vulnerability checker here:
    Not only has Ilfak Guilfanov released a patch for this vulnerability, but he also created a program that will let you know if your computer is vulnerable. You can find information about this vulnerability checker here:
    http://www.f-secure.com/weblog/archives/archive-012006.html#00000760

    WMF FAQ

  21. Michael Chang says:

    Tested new version on a Windows 98 SE machine with most Windows Update patches up to Sept-2005. Your test program reports invulnerability, although we don’t know if there are alternative ways to exploit the problem on 9x.
    How does the new check work? Do you still have the old version which uses a drop file?
    The question is probably how the microsoft image rendering code differs in 9x, ME, and anything later than 2000 (e.g. XP, XP-64, 2003, Vista, etc.) – such as the dll used to handle it.
    Do you need a copy of the DLLs from a Windows 98 or 95 system in order to attempt writing patchs for them, or just the knowledge of the underlying dll layout?

  22. Mike Bacon says:

    Installed the hotfix but I am not able use the print/fax viewer. I thought this was supposed to be installed after unregistering the MS DLL. Is the MS DLL supposed to be registered?
    Thanks! Mike

  23. Bob Trevithick says:

    Mike,
    I don’t believe you are supposed to have to unregister anything. The initial advice was to unregister one .dll, but I believe the correct approach now is to re-register that one .dll (I forget its name) and then simply run the hotfix.
    HTH,
    Bob

  24. Alan says:

    Thank you for the tool, Ilfak!
    Run on XP/Pro SP2 with McAfee 8.0i with On-Access Scan enabled; your 1.3 HotFix installed, DLL still registered, the *.TMP file you drop into the ‘temp’ folder shows as a zero bit file.
    The McAfee log shows:
    “Would be blocked by behaviour blocking rule (rule is currently in warn mode) ATHLON\Alan iexplore.exe C:\Documents and Settings\Alan\Local Settings\Temporary Internet Files\Content.IE5\OPIV4DAZ\wmf_checker_hexblog[1].exe Prevent Internet Explorer from launching anything from the Temp folder Action blocked :Execute”

  25. Alan says:

    Please ignore previous post. Checker shows system “INVULNERABLE”, 0-byte tmp file created, McAfee @ DAT version 4664 (current) shows nothing.
    Log entries above are from installing Hotfix 1.3 from web rather then saving and then installing from disk.

  26. CastleCops says:

    Hot off the press: WMF Vulnerability Checker

    As you’ve read in the security alert concerning the WMF exploit there are very limited tools to patch…

  27. dom says:

    Thanks for your fix and tool, Ilfak!
    TrendMicro OfficeScan (Engine 8.000 / Pattern 3.139.00 / DCE 3.98 / DCT 692)
    didn’t detect any virus.
    Even if you manually scan ‘wmf_checker_hexblog.exe’.
    Best regards,
    dom

  28. Following up to my previous comment, the first in this thread:

    With wmf_checker_hexblog 1.1, the new results are as follows:

    • System #1: No vulnerability detected – system appears to be invulnerable to the WMF exploit.
    • System #2: Your system is vulnerable to WMF exploits!

    This is exactly as anticipated, because System #2 had not been hotfixed yet.

    After applying wmffix_hexblog13.exe to System #2 (but before rebooting) wmf_checker_hexblog 1.1 reports that the system is now invulnerable to the WMF exploit.

    So, to recap — Version 1.1 of wmf_checker_hexblog is no longer detected by Symantec Antivirus.

    Looks great! Now to deploy it automatically via Active Directory… :-)

  29. Kevin Frey says:

    Thank you very much for your continued contributions to the IT security community. What I don’t understand is why Microsoft cannot act with the same speed to resolve the issue…
    I have successfully deployed your MSI (v1.3) via Group Policy in my testbed.
    You are an asset to all of us and thanks again! I have referred to your fix in my blog to help spread the word.
    -KevFrey

  30. WMF Vulnerability Checker tool from IDA guru out

    A new Windows Metafile Vulnerability Checker tool has been released on Sunday. This little utility of four kilobytes simply reports if there is a vulnerable component in the system. If the result is positive, it recommends downloading an unofficial hotfix

  31. Juha-Matti Laurio says:

    The updated version works fine in one of my Windows 2000 SP4 fully patched test machines and reports system as vulnerable. There was no alert from AV when new version of the tool was in use.
    Thanks again for the tool!

  32. Sacándole las castañas del fuego a Microsoft

    … un reputado desarrollador que nada tiene que ver con los de Redmon y que ha publicado recientemente una herramienta para detectar los sistemas vulnerables (casi todos los w…

  33. Ilfak,
    Thank your for your great work. Just wondered if it would be possible to update your checker to return errorlevels / allow automation as this will greatly help people reduce the impact. e.g. running your checker from a login script or startup script and then acting accordingly.
    e.g.
    0 = system ok
    above 1 = system vulnerable
    (allowing for expansion)
    Many thanks
    Richard

  34. Zoltan says:

    Thank you very much for the hotfix, you have done a great job!
    My OS:
    Windows XP Pro SP1 with all patches
    your patch applied
    shimwv.dll NOT unregistered
    Avast antivirus 4.6.744 home edition with 0552-4 definitions file (made 2005.12.30)
    Webroot 4.5.7 (free edition) with version 594 def. file.
    After launching your test program, neither Avast nor Webroot signaled.But I know surely Avast recognised the first version of the exploit as Win32.Exdown, and Webroot blocked some pages which contained the exploit.I experienced it.
    The test result was my system “seems to be invulnerable”.
    Thank you again, and happy new year!

  35. matti saari says:

    Hi!
    I have NT 40 SP6A system. I tested with Ilfak’s program, if my system is open to vulnerability exploits. The answer was according to the program yes. But my system could not run the hotfix.Is the only possibility to change to XP. Thank you Ifalk in every case for the good work.
    Matti Saari

  36. Ernie says:

    XP Prof (Fully MS patched)
    Avast AV (fully updated)and using *.wmf in Web Shield URL blocking
    Sygate Per Firewall
    Patch installed yesterday with no adverse effects.
    Your checket shows I am safe.
    Might be a stupid question but how often do you recommend running this checker?

  37. john smith says:

    AVG (with latest update) didn’t complain about your vulnerability checker.
    Thanks for all of your work on this issue.

    js

  38. ilfak says:

    Thank you everyone for using the fix! I’m glad that it works and protects all us!
    —————-
    Richard,
    The checker returns error codes exactly as you described: 0 is everything ok and 1 if the system is vulnerable (or any other error).

  39. Leo de Geus says:

    Hi,
    Tool tested on XP pro SP1 and AVG latest version. Everything ok.
    Thanks,
    Leo

  40. Peter Upfold says:

    Norton Internet Security 2005 with defs as of 30/12/2005 blocks the download saying ‘A recent attempt to attack your computer was blocked’. Further investigation shows ‘HTTP Windows WMF Code Exec’ was the intrusion detection signature used. It even blocks all traffic to and from your site for 30 minutes after it detects the inital attempt.
    Good work creating the temporary fix, btw. :)

  41. Jamie Cockrill says:

    Thank you for the HotFix.
    I was just wondering, much has been reported of indexing services (such as Google Desktop) triggering one of these WMF thingies. Does this HotFix protect against such programs accidentally opening one of these malicious files?
    Thanks

  42. Elmar van Ginneken says:

    Windows 95 US: vulnerability checker reports no vulnerability has been detected.
    Yes – this W95 is still in active use and online 24/7.
    It’s not running any resident virus scanner or firewall (but is behind a router). Maybe W95 is simply immune to attacks these days because it can’t handle today’s sophisticated viruses? ;)

  43. Knox says:

    Hi,
    I tried the program on my system and it crashed! That’s a good thing because I have Data Execution Protection turned on for all programs and that’s what it should do when something attempts to execute code in a data segment.

  44. Tao says:

    FYI, this tool DOES report that the system is (probably) safe, even when you have not yet rebooted after installing the unofficial hotfix.
    This is Not correct, because any processes that were already running before you ran the install (including explorer image preview, google indexing, any open internet explorer windows, etc) are STILL VULNERABLE!.
    For the hotfix to work correctly, the computer must be rebooted during/after installation.

  45. ilfak says:

    Tao,
    You are absolutely right!
    One has to reboot his computer after the installation and this is explained above. Might be the program should check if the computer has been rebooted but is there any way of doing it?

  46. Always says:

    These files are also being spread as torrents!
    You can find them on the myBittorrent – Bittorrent Directory for example.

  47. Changes between the current version and version 1 are highlighted.

    アンオフィシャルではありますが SUNSよりWMFの脆弱性に対するパッチがリリー…

  48. LFR says:

    Tested the checker on a WindowsME machine with up to date Microsoft patches.
    It shows no vulnerability.
    Thanks for all your good work over the last few days.
    I installed your patch on my two WindowsXP Pro machines and they both also show as no longer vulnerable to this particular exploit.

  49. Chris Jones says:

    Tested on:
    Windows 2000 SP4
    DLL unregistered
    hotfix applied
    running AVG Free Edition and Zonealarm
    The utility reports no vulnerability, generates no other alerts.

  50. Kevin says:

    The message from Microsoft on this vulnerability lists Windows 98 as an affected OS. I have a few oler relatives that are still running this OS. I need to get them the proper information on how to protect their machines. There’s nothing about how to work around the problem for this OS.
    Any suggestions?
    Thanks

  51. noddy says:

    Tested on 2 seperate win98SE, AVG Free7 ,ZAPro, boxes without any fixes etc.
    Utility reports ‘NOT vulnerable’ on either box.
    AVG Free 7.1.371 updated (Virus Base 267.14.10/218) moments before testing does not detect anything when downloading utility or when testing with it! HTH and thanks for all your hard work!!

  52. Jay Nickson says:

    I strung up a WIn 98 Se y2k as is, the vulnerability checker indicated no vulnerabilities.

    Also SHIMGVW.DLL ~exist on the drive.

    I’ve still got images turned off in Opera and Thunderbird. Belt, suspenders and rope, if you please

  53. Anonymous says:

    Windows Server 2003 Version 3790 (Service Pack 1) UP Free x64
    Product: Server, suite: Enterprise
    kernel32.dll version: 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
    Access violation – code c0000005
    eax=00000000 ebx=00000000 ecx=000001c4 edx=00000034 esi=00214e9c edi=142101b2
    eip=00214e84 esp=0012fb08 ebp=0012fb84 iopl=0 nv up ei pl nz na po nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
    00000000`00214e84 e800000000 call 00214e89
    ChildEBP RetAddr
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0012fb04 7d83376d 0x214e84
    0012fb84 7d829e66 GDI32!CommonEnumMetaFile+0×233
    0012fb9c 004010a9 GDI32!PlayMetaFile+0×14
    0012fff0 00000000 wmf_checker_hexblog+0x10a9

  54. Steve Dodd says:

    As other posters have reported, the checker returns “invulnerable” for Win98SE (I ran the new version.) F-Prot didn’t detect it using signatures timestamped 2006-01-01 16:17-16:20.
    Incidentally, shimgvw.dll is not present on my system – I wonder if it is perhaps part of an optional component on Win98? I couldn’t see any fax related entries in “Add/Remove Windows Components”, but I did note that “Quick View” is not installed.

  55. Mika says:

    Hello from Finland
    I am also using Windows NT4.0 SP6a. WMF Vulnerability Checker says that my system is vulnerable to VMF problem and I need run hotfix. Is there anything that we NT4 users could do? I couldnt find DLL that needs to be disabled of my system at all. Thank you.

  56. Mika says:

    I couldnt find NT4 from Microsoft vulnerability OS list. Checker however says that NT4 has a problem and hotfix need to be run. Thanks.

  57. ilfak says:

    Unfortunately I do not have NT SP6 system here and it is really difficult to create a fix without it.

  58. stan sutherland says:

    Just tried WMF Checker frohttp://www.hexblog.com/2006/01/wmf_vulnerability_checker.htmlm 02/01/2006 and it says I seem invulnerable. I have Windows 98SE fully patched, with Adware,Spybot S&D,AVG SE, Spyware Blaster and ZoneAlarm Free. Many thanks for your good work.

  59. donkeykong says:

    Thanks for all your good work on this issue.
    Ancient, un-updated, unpatched, un-everything W98 (NOT SE). Says system invulnerable.

  60. PapagenoX says:

    Hmm, when I applied the WMFix version 1.3, and restarted the machine, Windows XP SP2 (fully updated) would not boot up (!) except in Safe Mode for some reason. I uninstalled the fix, still no normal bootup, so I uninstalled my graphics card drivers (nVidia ForceWare 81.98) and then reinstalled them, now I’m back to normal functioning, but leery about installing the wmfix again. Oh, another weird thing, the .exe file that I downloaded doesn’t show up anywhere now except in the Windows/Prefetch directory–I searched all the hard drives.
    Some hardware details:
    Asus A7N8X Deluxe motherboard, Leadtek GeForce 6600GT 128MB AGP graphics card, Audigy 1 soundcard, 1 GB PC 2700 system RAM.

  61. Rik Slagter says:

    I just installed the hotfix on my machine, running Windows XP SP2. Afterwards I tried the vulnerability checker and it reported that I was in fact still vulnerable for th WMF-exploit. Any ideas on how this is possible?

  62. omgwtf! says:

    Windows WMF Vulnerability

    As you may or may not have heard by now, there is a lovely new 0-day Windows exploit that has cropped up in the past few days.
    To nobody’s surprise, Microsoft has yet to come up with an answer to plug up this vulnerability. It’s always a…

  63. Urgent Virus Fix: Do This NOW

    There is a huge vulnerability in ALL Windows operating systems. Used to be, to get a virus, you had to download and run a suspicious program or email attachment without being sure it was safe. This new exploit can infect…