05 01 the WMF crisis is growing
WMF is a sort of graphical file that is viewed with the fax viewer of MS and for which a new exploit is written (and being upgraded meanwhile) that is effectively being exploited to install for the moment spyware and unwanted antispyware (winhound).
It is for the moment being distributed
1 by Messenger MSN
MSN has been attacked by a worm based on the Kelvir IM worm and the WMF vulnerability by sending an IM link spamming method
the link goes to something like "http://[snip]/xmas-2006 FUNNY.jpg".
and has infected about a thousand dutch users so far It downloads all kinds of malware to the computer if the user clicks on the link
2 by email
The HappyNY.A attack has been using an e-mail with the subject "happy new year" that includes the attached file HappyNewYear.jpg. That file, actually a hostile WMF file, installs the Bifrose backdoor Trojan in the victim's system when the file executes.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com (BLOCK THIS)
new and other spam wmf mails with links to infected sites are being found every day
3 by websites
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
note : this is why blocking .biz domains is prudent policy and registering and using one stupid
(and the same goes for .info another spam and crime-ridden domain)
4 By banners poppping up all over the place
also used by bannernetwork from
It adds several Browser Helper Objects (BHO) and adds itself in system tray. In the background it makes internet connections with “exfol.com”, “clickspring.net” and “spywarelabs.com”. It also gives some popup while browsing the internet.
and if you are infected you get spyware infections like this
and your machine will begin sending thousands of spam messages themselves
5. By Google Desktop
It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime
and the numbers of uses will only go up until we have a patch
At the moment, the number of different WMF exploits we've seen has gotten well past a hundred and more are coming every hour.
But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products.