wmf exploit



Wmf Exploit - Warning


PowerSuite 2011 has Now arrived...

This is the most powerful boot utility disk. When your computer crashes, cannot enter Windows, or you want to work under boot environment, this is your NO. 1 choice.




Windows ME, Windows 2000, Windows XP and Windows 2003 are currently vulnerable to a new WMF exploit with no current patch available as of the 29th December 2005.

Please read this article to discover more about the threat and how to protect yourself!





UPDATE! There is now a security patch available for this threat. More here:


So What Is This WMF Threat...

WMF stands for Windows Metafile Format. This is a graphics file format used to exchange graphics information between Microsoft Windows applications.

HOWEVER we are currently seeing in the last few days websites (and some email) using a vulnerability in this file format to infect users computers!

As of writing this article there in NO SECURITY PATCH available from Microsoft...

Please note that this is NOT the same wmf exploit detailed at: http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx

How can I get Infected?

When you visit a Web site that contains a specially crafted Windows Metafile (.WMF) image you can become infected. Now it is important to note that an attacker would have to persuade you visit their Web site and this is typically done by getting you to click a link that takes you to the dangerous Web site!

SPAM email is a great example of this in action...


Some known websites with the ability to infect you are:


Any application that automatically displays a .WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is NASTY - Be Careful!

So What Can Happen To My Computer?

...as of writing this article the online community is seeing this wmf exploit being used to spread TROJANS that install Spyware or fake AntiSpyware / fake AntiVirus software on a Windows computer.

BUT you can bet in a day or two we will see viruses being spread this way!

Some of the software installed as part of the infection may produce a FAKE security warning in order to make a YOU go to a website the attacker wants you to visit!

Here are a couple of examples of the fake security warnings:



So What Can You Do To Protect Yourself?

Here are my recommendations:

1) Make sure you have an up to date AntiVirus program on your computer! If you have none then try the FREE AVG software http://free.grisoft.com

2) Make sure you are using an up to date Anti Spyware solution on your computer! If you have none try the free 30 day trial of Spy Sweeper www.free-trial-of-spy-sweeper.com OR http://www.updatexp.net/spysweepertrial45.exe

3) Keep Windows up to date by keeping Windows Update turned on to automatically receive security updates from Microsoft! Please read my article: http://www.updatexp.com/windows-automatic-updates.html

4) Disable indexing of media files in Google Desktop OR remove Google Desktop on your Windows computer until there is a security patch available for this exploit from Microsoft.... (If an image file with the wmf exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process! Not something I want to see happen on your computer...)

5) Un-register the Windows Picture and Fax Viewer on your computer (Shimgvw.dll)

Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

A dialog box appears to confirm that the un-registration process has succeeded.
OK to close the dialog box.

Impact of this Workaround: The Windows Picture and Fax Viewer will no longer be started when you click on a link to an image type that is associated with the Windows Picture and Fax Viewer. This can prevent a wmf exploit attack on your computer! ALSO thumbnails will no longer work until you re-register the file....

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks). Do this AFTER installing any forth coming Microsoft Security patch...

If that fails try: clicking Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

6) (Advanced Users Only) The same effect may be obtained with a registry change. In the Regedit program go to the key:


Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}".

7) Turn on Data Execution Prevention (DEP) for ALL Windows programs and services UNTIL a security patch for this wmf exploit is issued by Microsoft.... Read my article here for more information on how to do this: http://www.updatexp.com/data-execution-prevention.html

If DEP is greyed out on your computer this means DEP has been disabled in the boot.ini file, see the end of this article for more info: http://www.updatexp.com/0xC0000005.html

8) TAKE THIS WARNING SERIOUSLY and simply do not click on an email or website link from an untrusted source!


PC Security Guide

CLICK HERE - For More Information Now!


>>> My FREE Windows Newsletter! >>>



Claim YOUR Fortnightly copy of my FREE Windows Newsletter covering:

Windows XP, Windows Vista, Windows 7 , Microsoft Office and Windows Live Services - Sign-up TODAY!!!


Your Details are secure - we never pass them on to anyone else!

Privacy Policy


Kind Regards

Marc Liron

Marc Liron - Microsoft MVP (2004 - 2010)