New IM worm using WMF vulnerability



There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incidents.org is reporting that the worm is spreading through the MSN messenger IM network and contains a malformed WMF file called “xmas-2006 FUNNY.jpg” The original source of the warning is Kaspersky Labs viruslist.com


It seems to be hitting hard in the Netherlands right now. It may just be a matter of time before it’s spreading more widely.

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.

Ultimately beware of unknown images… watch out for those greeting card links that may come unexpectedly.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF 0-day update Last night while I was in the midst of infecting a virtual machine, Microsoft issued a release that there's a "possible vulnerability"... fortunately, their technical document is a bit more straightforward... technet advisory here. Spyware Confidential also has a good roundup on the coverage so far. There's a bit more......
  • Fake MS Messenger 8 beta and other IM warnings... F-Secure is warning about ads for a "leaked version" of Windows Messenger 8 beta. There is no public beta of this and it is a virus.... If you download and run BETA8WEBINSTALL.EXE from that site, you won't get a new chat client. Instead, your existing MSN Messenger will start to......
  • Nyxem.E virus delete files payload F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is......
Blog Traffic Exchange Related Websites
  • What to Do in Household Emergencies pt 2 of 2 As we mentioned before, there are a number of household emergencies that are unfortunately common occurrences. Knowing what can be done to address them will be able to save money, manpower and even lives, believe it or not. In the last part of this series we touched on electricity, electric......
  • Virus Writers Are Cowardly, Unimaginative Hacks Okay, listen up you pimply little cellar dwarfs. You think you're so smart living rent-free in your Mommy's basement writing your little computer viruses and worms? Well, creating a trojan is as close as you'll ever come to actually using something called a Trojan. And you're not so smart. You're......
  • Fix Registry Errors Safely (like an Expert) With Registry Repair Software Have you ever had a virus or spyware attack? Or have you ever downloaded an innocent looking piece of software, only to end up with a vicious Trojan or dreaded worm on your computer and loads of spyware? If you do anything online you will very likely know exactly what......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site