The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

F-Secure : News from the Lab – New trojan being distributed via WMF spam

New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There’s a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:

We are very sad to say that over the New Year the Campus was subjected to  several acts of mindless vandalism.  As well as bricks being thrown through  windows, several members of staff have reported their cars as being the  subject of practical jokes.  Some of these cars were filled with water whilst  others had graffiti daubed across them.  We have uploaded the pictures of the  graffiti here in the hope that someone  may recognise the culprits work. If anyone can shed any light on this unfortunate  incident could they please contact the main office as soon as they have time.

When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn’t work, the front page of the site also contains an exploit against older versions of Firefox, using the “InstallVersion.compareTo()” flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
tftp (ie. UDP) access to 86.135.149.130
IRC access to 140.198.35.85:8080
IRC access to 24.116.12.59:8080
IRC access to 140.198.165.185:8080
IRC access to 129.93.51.80:8080
IRC access to 70.136.88.76:8080

PS. There seems to be no Professor Robert Gordens in Yale.

Advertisements

January 4, 2006 - Posted by | Antivirus News, Security News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: