For what it's worth, I just tested the 3.16d and 3.16e versions of fpcmd.exe and they behaved identically on the single sample I had.
They return errorlevel = 8 (suspicious file found) and here is the text when run manually (as opposed to within Declude): c:\virus-quarantine\wmf\bg.wmf Contains the exploit named CVE-2005-4560 Then I copied the bg.wmf to bg.tiff and compared them. For those who haven't been absorbed by the news of the WMF exploit, Windows uses the magic bytes in the header of the graphics files to determine their true file type so that it does not need to rely on a correct extension on the filename. The bad guys can then use this to fool users, antivirus software, and various filters that trust the name, e.g. by sending an email or linking to a virus.gif instead of virus.wmf ... Version 3.16d: c:\temp\virus\wmf\bg.tiff is a security risk or a "backdoor" program With errorlevel = 8 Version 3.16e: c:\temp\virus\WMF\bg.tiff Contains the exploit named CVE-2005-4560 Also with errorlevel = 8 I tried a few other extensions with the same results. In this very limited testing, the new version is more accurate, but the result is the same. Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic > Sent: Thursday, January 05, 2006 11:48 AM > To: [email protected] > Subject: [Declude.Virus] F-Prot 3.16e > > I found this blurb on their site saying what is new for version 3.16e > > http://www.f-prot.com/news/gen_news/060104_release_win316e_exc > hange123.html > > FRISK Software has released versions 3.16e of F-Prot > Antivirus for Windows and version 1.2.3 of F-Prot Antivirus > for Exchange. > > These newest versions of F-Prot Antivirus for Windows and > F-Prot Antivirus for Exchange include a number of important > bugfixes as well as providing enhanced scanning of Windows > Metafile images (WMF) for embedded malware. WMF files > disguised, among other things, as JPG images have > increasingly been taking advantage of a recently discovered > yet serious vulnerability in Windows in order to run > malicious code on susceptible machines. > > Successful exploitation of this vulnerability can allow an > attacker to gain complete control over an affected computer > who can then use it to send out spam e-mail or spread viruses > and other malware further. A number of different exploits > have a appeared over recent days and these newest versions of > F-Prot Antivirus for Windows and F-Prot Antivirus for > Exchange detect and delete all known exploits as well as > detecting previously unknown malware attempting to take > advantage of this WMF vulnerability. > > I have not found any other release notes except for one that > comes up talking about 3.16c > > http://www.f-prot.com/version_release_dates.html > > 3.16d and e do not have release notes on the web page. > > Are there any other release notes? > > Thanx > > Goran Jovanovic > Omega Network Solutions > --- > [This E-mail was scanned for viruses by Declude EVA www.declude.com] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude EVA www.declude.com] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
