New IM worm using WMF vulnerability



There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incidents.org is reporting that the worm is spreading through the MSN messenger IM network and contains a malformed WMF file called “xmas-2006 FUNNY.jpg” The original source of the warning is Kaspersky Labs viruslist.com


It seems to be hitting hard in the Netherlands right now. It may just be a matter of time before it’s spreading more widely.

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.

Ultimately beware of unknown images… watch out for those greeting card links that may come unexpectedly.

Related Posts

Blog Traffic Exchange Related Posts
  • Viruses and worms can come in from many directions For a long time, email was the primary vector for viruses, before that floppy discs carried bugs from pc to pc. Then came network worms exploiting windows security vulnerabilities which led to the rise of firewalls and the increase in viruses piggy-backing into the system through browser bugs. But, any......
  • The Blackworm, Nyxem, KamaSutra Worm... Lot's of news following up on the Nyxem worm in the last few days. It's currently going under a number of names, the Kama Sutra Worm, Blackworm are some of the more common names. Sans has a page for information on the worm here. Microsoft has detailed manual removal instructions.......
  • IM worm acts as a come on to a Santa Claus site According to Information Week, there's a new IM worm out hitting the MSN, ICQ, Yahoo and AIM networks. It poses as a come on for a Santa Claus site. On visiting the site, users receive an unexpected "present" a rootkit which is hidden. IMlogic said that the worm, dubbed "M.GiftCom.All,"......
Blog Traffic Exchange Related Websites
  • Virus Writers Are Cowardly, Unimaginative Hacks Okay, listen up you pimply little cellar dwarfs. You think you're so smart living rent-free in your Mommy's basement writing your little computer viruses and worms? Well, creating a trojan is as close as you'll ever come to actually using something called a Trojan. And you're not so smart. You're......
  • Fix Registry Errors Safely (like an Expert) With Registry Repair Software Have you ever had a virus or spyware attack? Or have you ever downloaded an innocent looking piece of software, only to end up with a vicious Trojan or dreaded worm on your computer and loads of spyware? If you do anything online you will very likely know exactly what......
  • What to Do in Household Emergencies pt 2 of 2 As we mentioned before, there are a number of household emergencies that are unfortunately common occurrences. Knowing what can be done to address them will be able to save money, manpower and even lives, believe it or not. In the last part of this series we touched on electricity, electric......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site