• by Bill McCloskey , January 4, 2006

Often I receive e-mails forwarded from some panicked relative warning about a new computer virus that is being distributed via an e-mail message. Just by opening this e-mail, the warnings read, you can infect your computer with a virus.

In the past, all of these types of warnings have been hoaxes, and I've assured my less computer-literate family and friends that a virus cannot be downloaded simply by opening an e-mail. In fact, they would need to open an attachment that came with the e-mail, or download a rogue program from the Internet. It is impossible, I confidently declared, for a virus to spread without users downloading a program and running it.

Well, pride goeth before a fall. At the end of 2005, the Internet received coal in its collective stocking when it was reported that there was a previously undiscovered and extremely dangerous vulnerability in the "SHIMGVW.DLL" file used to render Windows MetaFiles.

According to SpywareInfo.com: "Web sites which engage in drive-by installations are going nuts. In less than 48 hours after this flaw became public knowledge, thousands of Web sites are believed to have started using the exploit to install spyware. At least one adware program, which pops up advertisements on certain partner Web sites, is exploiting the WMF flaw to install additional software.

"This is a very dangerous problem. The Windows graphics rendering engine runs as a system process, which means that software installed through this flaw will have system-level permissions. Any piece of software, running on a vulnerable system, can execute a malicious package merely by attempting to open a specially crafted image. This includes your e-mail program, your Web browser and image viewing software. The most likely means of exploiting this flaw will be to insert malicious images onto Web pages and within spam e-mail."

What this means is that just by opening an image in an e-mail, or by going to the wrong site, you can inadvertently trigger a software download that takes over your whole computer. There is currently no patch from Microsoft to fix this vulnerability.

One company is using this vulnerability to, among other things:
1. Take over your browser, forcing you to use the company's search engine;
2. Redirect traffic to different Web sites when you click on a link in a Web article;
3. Replace your desktop background image with a warning that says you have been infected with spyware; and
4. Pop up a barrage of messages trying to sell you anti-spyware software to get rid of the spyware this company itself has put on your system!

It is unclear how this will affect people's e-mail habits until the problem is fixed, but it is recommended that people turn off the preview pane in their e-mail browsers until a patch is distributed.

If you are infected, the following site provides information on how to clean up the mess: http://www.webuser.co.uk. Click on forums and follow the instructions in the HijackThis topic. With a little luck, you'll be back to normal before too long.