[Dshield] WMF redirect. gdi32.dll is the problem

Matt.Carpenter@alticor.com Matt.Carpenter at alticor.com
Tue Jan 3 19:16:04 GMT 2006

forwarded from BugTraq:

Apologies if you've already read this, but this is interesting news:

Apparently shimgvw.dll isn't the problem; according to the Kaspersky
Lab blog, gdi32.dll is.

>From http://www.viruslist.com/en/weblog?discuss=176892530&return=1
(which talks about an IM worm that uses this):

"Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The vulnerability
seems to be in gdi32.dll."

More information about the list mailing list