New IM worm using WMF vulnerability



There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incidents.org is reporting that the worm is spreading through the MSN messenger IM network and contains a malformed WMF file called “xmas-2006 FUNNY.jpg” The original source of the warning is Kaspersky Labs viruslist.com


It seems to be hitting hard in the Netherlands right now. It may just be a matter of time before it’s spreading more widely.

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.

Ultimately beware of unknown images… watch out for those greeting card links that may come unexpectedly.

Related Posts

Blog Traffic Exchange Related Posts
  • Viruses and worms can come in from many directions For a long time, email was the primary vector for viruses, before that floppy discs carried bugs from pc to pc. Then came network worms exploiting windows security vulnerabilities which led to the rise of firewalls and the increase in viruses piggy-backing into the system through browser bugs. But, any......
  • Nyxem.E virus delete files payload F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is......
  • WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
Blog Traffic Exchange Related Websites
  • What to Do in Household Emergencies pt 2 of 2 As we mentioned before, there are a number of household emergencies that are unfortunately common occurrences. Knowing what can be done to address them will be able to save money, manpower and even lives, believe it or not. In the last part of this series we touched on electricity, electric......
  • Catching More Fish with Worms Fishing with worms can be really lucrative, and can drive excellent results but only if you follow some basic techniques and utilize some of the best fishing tips. Worms can be either live worms or synthetic worms, but you should shy away from the plastic worms that bass fishermen seem......
  • Fix Registry Errors Safely (like an Expert) With Registry Repair Software Have you ever had a virus or spyware attack? Or have you ever downloaded an innocent looking piece of software, only to end up with a vicious Trojan or dreaded worm on your computer and loads of spyware? If you do anything online you will very likely know exactly what......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site