The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

F-Secure : News from the Lab – Be careful with WMF files

F-Secure : News from the Lab – December of 2005.

Be careful with WMF files Posted by Mikko @ 15:30 GMT

Over the last 24 hours, we’ve seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

  Crackz [dot] ws
  unionseek [dot] com
  www.tfcco [dot] com
  Iframeurl [dot] biz
  beehappyy [dot] biz

And funnily enough, according to WHOIS, domain is owned by a previous president of Soviet Union:

  Registrant Name: Mikhail Sergeevich Gorbachev
  Registrant Address1: Krasnaya ploshad, 1
  Registrant City: Moscow
  Registrant Postal Code: 176098
  Registrant Country: Russian Federation
  Registrant Country Code: RU

“Krasnaya ploshad” is the Red Square in Moscow…

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.


December 28, 2005 - Posted by | Antivirus News, Security News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: