December 29, 200520 yr http://www.f-secure.com/weblog/archives/archive-122005.html#00000752 Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch: Crackz [dot] ws unionseek [dot] com ww w.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union: Registrant Name: Mikhail Sergeevich Gorbachev Registrant Address1: Krasnaya ploshad, 1 Registrant City: Moscow Registrant Postal Code: 176098 Registrant Country: Russian Federation Registrant Country Code: RU "Krasnaya ploshad" is the Red Square in Moscow... Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer. You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute? The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime. So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows. --- There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch. The exploit is currently being used to distribute the following threats: Trojan-Downloader.Win32.Agent.abs Trojan-Dropper.Win32.Small.zp Trojan.Win32.Small.ga Trojan.Win32.Small.ev. Some of these install hoax anti-malware programs the likes of Avgold. Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file. In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first. As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level. F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates. We expect Microsoft to issue a patch on this as soon as they can.
December 29, 200520 yr My Daughters laptop has this atm. The exploit is currently being used to distribute the following threats: Trojan-Downloader.Win32.Agent.abs Trojan-Dropper.Win32.Small.zp Trojan.Win32.Small.ga Trojan.Win32.Small.ev.
December 29, 200520 yr Author More info that may help you mac. http://isc.sans.org/diary.php?rss&storyid=975 Here is a good page for looking into this stuff. http://www.dnsstuff.com I blocked those pages in my router but you may also want to block the IPs for those addresses. 195.161.113.90 = Crackz [dot] ws 69.50.160.101 = shows it host 4 sites one of which is unionseek [dot] com 72.34.44.37 = show 125 pages hosted one of which is TFCCO [dot] COM 81.9.5.9 = has 10 pages hosted one of which is Iframeurl [dot] biz 195.225.176.38 = has 3 pages hosted one of which is beehappyy [dot] biz
December 29, 200520 yr Thanks Statecop for the heads up. This looks like a nasty one. Yeah.. Thanks StateCop.. I'll keep my eyes peeled for those viruses too.
December 29, 200520 yr Author Keep in mind there could be many more sites out there that actually have this on them. These are just the ones that are known.
December 29, 200520 yr That site has updated with MS info about a work around to help prevent from getting infected (unregistering the windows picture and fax viewer) as well as some more urls to not visit.. and a link to the MS Security Advisory..
December 29, 200520 yr Author do you know, can you get this over firefox? Yes if it displays the wmf automatically. I have to get ready for work or I would dig that up for you. Read around and it tells somewhere.
December 29, 200520 yr Yes if it displays the wmf automatically. I have to get ready for work or I would dig that up for you. Read around and it tells somewhere. ok, thanks
December 29, 200520 yr Author ok I called in sick today...feel like crap...if you need me to find that let me know.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.