*Important* KAV and .wmf exploit workaround

Discussion in 'other anti-virus software' started by noway, Dec 29, 2005.

Thread Status:
Not open for further replies.
  1. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I just e-mailed kaspersky support that disabling the XP Picture and Fax Viewer using the command "regsvr32 /u shimgvw.dll" as suggested at many web sites as a workaround for the 0-day .wmf exploit https://www.wilderssecurity.com/showthread.php?t=113044 also disables Kaspersky on-demand (right-click scanning of files) virus notification popup window (tested on KAV 4.5). The alarm sound is also either partly or fully suppressed.
     
    Last edited: Dec 29, 2005
  2. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Maybe our Don, the unofficial Wilders Kaspersky expert, give here his point of view;)
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ...or perhaps Roel /schouw is willing to comment as a Kaspersky employee ;)

    regards,

    paul
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well its possible that KAV relies on this library to render graphic elements of KAV and KL guys somehow missed that. But thats just my speculation. KL guys can say it for sure...
     
  5. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Have dropped the question at the Kaspersky Forum, see on my screen that Don is already typing the answer...;)
     
  6. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Got from Don an answer at Kaspersky Forum (look here), but it is not a solution for the thread starter "noway".

    Let's wait 'till there is a reaction from an official Kaspersky Lab employee, like Paul already suggested:)
     
  7. Netherlands

    Netherlands Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    159
    Why al this panic. Kaspersky antivirus will block this exploit (Exploit.Win32.IMG-WMF is the name of the signature) and also the trojans that are downloaded are detected by kaspersky.
     
  8. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Has nothing to do with "panic", "noway" has a legitimate question and he is hoping on a solution to solve the problem.

    Quite understandable or?:rolleyes:
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    The solution (tested and approved as being working fine):

    In the Regedit program go to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes
    \SystemFileAssociations\image
    \ShellEx\ContextMenuHandlers
    \ShellImagePreview

    Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}".

    To difficult?

    Download the .REG files to enable/re-enable the feature here:
    http://lists.grok.org.uk/pipermail/full-di...ber/040699.html

    Source: Eweek/Athias

    BTW: With the registry operation is the disfunction problem with KAV solved, AND you are protected:)
     
  10. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Thank you very much. I'll give it a go. Looks like a better way for v4.5.
     
  11. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    You're welcome!:)

    Please let us know what the results are!:)
     
  12. metallicakid15

    metallicakid15 Registered Member

    Joined:
    Dec 6, 2005
    Posts:
    454
    dont worry kaspersky can hadle it without the info provided above. Kaspersky was one of the few antiviruses that detected all known wmf variants
     
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Not correct.

    In the first test done by Andreas Marx (av-test.org), 29 or 30 dec. 2005, Kaspersky reached an 80% detection score by 73 existing WMF examples.

    First in the second test with the same 73 examples, done one day later, KAV reached the 100% score too.

    Take care:cool:

    Smokey
     
  14. metallicakid15

    metallicakid15 Registered Member

    Joined:
    Dec 6, 2005
    Posts:
    454
    Last edited by a moderator: Jan 5, 2006
Thread Status:
Not open for further replies.