WMF Spyware/Worm on the loose
(Updated 2005-12-28 16:09 GMT)
A browser orientated spyware/worm appears to be on the loose. It exploits a vulnerability in the WMF rendering of Windows based operating system to infect them.
The worm utilizes a malicious WMF located at “uni on seek. com/ d/t 1/ wmf_exp. htm” (note the extra spaces are here to avoid accidental infection).
The vulnerability being exploited appears to be related to MS05-53, but somehow fully patched system still get infected by this worm.
Most infections occur on Windows XP machines, but I am not sure that there is a reason why other OS won’t get infected.
According to VirusTotal, only one Antivirus/Spyware detection system was able to determine that its a Trojan.Downloader a few hours ago (around 9:00 GMT), while now most Antivirus/Spyware classify it as:
Antivirus Version Update Result
AntiVir 184.108.40.206 12.28.2005 TR/Dldr.WMF.Small
Avast 4.6.695.0 12.28.2005 Win32:Exdown
AVG 718 12.27.2005 no virus found
Avira 220.127.116.11 12.28.2005 TR/Dldr.WMF.Small
BitDefender 7.2 12.28.2005 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 12.28.2005 no virus found
ClamAV devel-20051108 12.26.2005 no virus found
DrWeb 4.33 12.28.2005 Exploit.MS05-053
eTrust-Iris 18.104.22.168 12.27.2005 no virus found
eTrust-Vet 22.214.171.124 12.28.2005 no virus found
Ewido 3.5 12.28.2005 Not-A-Virus.Exploit.Win32.Agent.r
Fortinet 126.96.36.199 12.28.2005 W32/WMF-exploit
F-Prot 3.16c 12.28.2005 no virus found
Ikarus 0.2.59.0 12.28.2005 no virus found
Kaspersky 188.8.131.52 12.28.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4661 12.28.2005 Exploit-WMF
NOD32v2 1.1342 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.28.2005 no virus found
Panda 8.02.00 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.28.2005 Troj/DownLdr-LW
Symantec 8.0 12.28.2005 Download.Trojan
TheHacker 5.9.1.063 12.28.2005 Exploit/WMF
UNA 1.83 12.28.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
As can be seen Antivirus companies have now started detecting it, which should bring the infection rate down or at least stop from getting any worse.
I will try and update you on additional details as they appear.
H D Moore has created an exploit from the WMF worm that utilizes the same techinque as the worm does to open a shell on a remote Windows XP system, the exploit is available from: http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile