New IM worm using WMF vulnerability



There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incidents.org is reporting that the worm is spreading through the MSN messenger IM network and contains a malformed WMF file called “xmas-2006 FUNNY.jpg” The original source of the warning is Kaspersky Labs viruslist.com


It seems to be hitting hard in the Netherlands right now. It may just be a matter of time before it’s spreading more widely.

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.

Ultimately beware of unknown images… watch out for those greeting card links that may come unexpectedly.

Related Posts

Blog Traffic Exchange Related Posts
  • Big trouble - you don't have any viruses.... You know, I've seen soooo many antivirus vendors that are somewhat ethically challanged claim that cookie files are a big threat, or in worse cases files that the "free" antivirus test downloaded are dangerous "you should be glad we got here in time - where's our $30 to fix things..."......
  • Viruses and worms can come in from many directions For a long time, email was the primary vector for viruses, before that floppy discs carried bugs from pc to pc. Then came network worms exploiting windows security vulnerabilities which led to the rise of firewalls and the increase in viruses piggy-backing into the system through browser bugs. But, any......
  • Nyxem.E virus delete files payload F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is......
Blog Traffic Exchange Related Websites
  • Fix Registry Errors Safely (like an Expert) With Registry Repair Software Have you ever had a virus or spyware attack? Or have you ever downloaded an innocent looking piece of software, only to end up with a vicious Trojan or dreaded worm on your computer and loads of spyware? If you do anything online you will very likely know exactly what......
  • What to Do in Household Emergencies pt 2 of 2 As we mentioned before, there are a number of household emergencies that are unfortunately common occurrences. Knowing what can be done to address them will be able to save money, manpower and even lives, believe it or not. In the last part of this series we touched on electricity, electric......
  • Virus Writers Are Cowardly, Unimaginative Hacks Okay, listen up you pimply little cellar dwarfs. You think you're so smart living rent-free in your Mommy's basement writing your little computer viruses and worms? Well, creating a trojan is as close as you'll ever come to actually using something called a Trojan. And you're not so smart. You're......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site