*Important* KAV and .wmf exploit workaround

I just e-mailed kaspersky support that disabling the XP Picture and Fax Viewer using the command "regsvr32 /u shimgvw.dll" as suggested at many web sites as a workaround for the 0-day .wmf exploit https://www.wilderssecurity.com/showthread.php?t=113044 also disables Kaspersky on-demand (right-click scanning of files) virus notification popup window (tested on KAV 4.5). The alarm sound is also either partly or fully suppressed.

 

Maybe our Don, the unofficial Wilders Kaspersky expert, give here his point of view

 

Well its possible that KAV relies on this library to render graphic elements of KAV and KL guys somehow missed that. But thats just my speculation. KL guys can say it for sure...

 

Have dropped the question at the Kaspersky Forum, see on my screen that Don is already typing the answer...

 

Got from Don an answer at Kaspersky Forum (look here), but it is not a solution for the thread starter "noway".

Let's wait 'till there is a reaction from an official Kaspersky Lab employee, like Paul already suggested

 

Why al this panic. Kaspersky antivirus will block this exploit (Exploit.Win32.IMG-WMF is the name of the signature) and also the trojans that are downloaded are detected by kaspersky.

 

Has nothing to do with "panic", "noway" has a legitimate question and he is hoping on a solution to solve the problem.

Quite understandable or?

 

The solution (tested and approved as being working fine):

In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview

Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}".

To difficult?

Download the .REG files to enable/re-enable the feature here:
http://lists.grok.org.uk/pipermail/full-di...ber/040699.html

Source: Eweek/Athias

BTW: With the registry operation is the disfunction problem with KAV solved, AND you are protected

 

Thank you very much. I'll give it a go. Looks like a better way for v4.5.

 

You're welcome!

Please let us know what the results are!

 

dont worry kaspersky can hadle it without the info provided above. Kaspersky was one of the few antiviruses that detected all known wmf variants

 

Not correct.

In the first test done by Andreas Marx (av-test.org), 29 or 30 dec. 2005, Kaspersky reached an 80% detection score by 73 existing WMF examples.

First in the second test with the same 73 examples, done one day later, KAV reached the 100% score too.

Take care

Smokey

 

theres A unofficial patch out for the wmf exploit [I][COLOR="Blue"]Removed[/COLOR][/I]