The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

F-Secure : News from the Lab – New trojan being distributed via WMF spam

New trojan being distributed via WMF spam Posted by Mikko @ 12:44 GMT

There’s a new trojan spam run underway, exploiting again the WMF vulnerability.

The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.

In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:

We are very sad to say that over the New Year the Campus was subjected to  several acts of mindless vandalism.  As well as bricks being thrown through  windows, several members of staff have reported their cars as being the  subject of practical jokes.  Some of these cars were filled with water whilst  others had graffiti daubed across them.  We have uploaded the pictures of the  graffiti here in the hope that someone  may recognise the culprits work. If anyone can shed any light on this unfortunate  incident could they please contact the main office as soon as they have time.

When curious readers follow the link to a web server under, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn’t work, the front page of the site also contains an exploit against older versions of Firefox, using the “InstallVersion.compareTo()” flaw. The downloaded client will connect to a botnet hosted via several IRC servers.

F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.

Administrators: you might want to block these at your gateways:
http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site)
tftp (ie. UDP) access to
IRC access to
IRC access to
IRC access to
IRC access to
IRC access to

PS. There seems to be no Professor Robert Gordens in Yale.


January 4, 2006 - Posted by | Antivirus News, Security News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: