WMF Spyware/Worm on the loose

(Updated 2005-12-28 16:09 GMT)

A browser orientated spyware/worm appears to be on the loose. It exploits a vulnerability in the WMF rendering of Windows based operating system to infect them.

The worm utilizes a malicious WMF located at “uni on seek. com/ d/t 1/ wmf_exp. htm” (note the extra spaces are here to avoid accidental infection).

The vulnerability being exploited appears to be related to MS05-53, but somehow fully patched system still get infected by this worm.

Most infections occur on Windows XP machines, but I am not sure that there is a reason why other OS won’t get infected.

According to VirusTotal, only one Antivirus/Spyware detection system was able to determine that its a Trojan.Downloader a few hours ago (around 9:00 GMT), while now most Antivirus/Spyware classify it as:

Antivirus Version Update Result
AntiVir 12.28.2005 TR/Dldr.WMF.Small
Avast 4.6.695.0 12.28.2005 Win32:Exdown
AVG 718 12.27.2005 no virus found
Avira 12.28.2005 TR/Dldr.WMF.Small
BitDefender 7.2 12.28.2005 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 12.28.2005 no virus found
ClamAV devel-20051108 12.26.2005 no virus found
DrWeb 4.33 12.28.2005 Exploit.MS05-053
eTrust-Iris 12.27.2005 no virus found
eTrust-Vet 12.28.2005 no virus found
Ewido 3.5 12.28.2005 Not-A-Virus.Exploit.Win32.Agent.r
Fortinet 12.28.2005 W32/WMF-exploit
F-Prot 3.16c 12.28.2005 no virus found
Ikarus 12.28.2005 no virus found
Kaspersky 12.28.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4661 12.28.2005 Exploit-WMF
NOD32v2 1.1342 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.28.2005 no virus found
Panda 8.02.00 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.28.2005 Troj/DownLdr-LW
Symantec 8.0 12.28.2005 Download.Trojan
TheHacker 12.28.2005 Exploit/WMF
UNA 1.83 12.28.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found

As can be seen Antivirus companies have now started detecting it, which should bring the infection rate down or at least stop from getting any worse.

I will try and update you on additional details as they appear.

Metasploit Exploit:
H D Moore has created an exploit from the WMF worm that utilizes the same techinque as the worm does to open a shell on a remote Windows XP system, the exploit is available from: http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

  • http://www.BeyondSecurity.com noam

    You can protect yourself from this by unregistering the WMF rendering mechanism:
    1. Click on the Start button on the taskbar.
    2. Click on Run…
    3. Type “regsvr32 /u shimgvw.dll” to disable.
    4. Click ok when the change dialog appears.

  • Cat

    how do i get rid of this?
    also, I disabled windows picture viewer by typing in the suggested line, regsvr32 /u shimgvw.dll but now how do I open jpg, etc.?

  • mel

    To undo this change, re-register Shimgvw.dll by following the below steps.
    1. Click Start, click Run, type“regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

    This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

    Bottom line is that if an image file with the exploit ends up to your hard drive. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

    And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.


    So far, we’ve only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I’m afraid we’ll see real viruses using this soon.

    thanks keep posting hope this helps a lot of u

  • Benjamin W.

    I got infected by this just tonight. ewido anti-spyware dug it out when I did a full scan, and I’ve deleted it. Is there a chance that I may have devulged private info to someone?

  • Pingback: MicrosoftWindowsShimgvwdllWMFExploit | win32 rootkit