This is going to be a rough start to the new year for IT staff and computer users….
There’s coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there’s a someone spamming emails to tons of addresses with a specially crafted image (uses the WMF exploit.) It’s also a slightly different variant of the exploit.
According to f-secure….
HappyNewYear.jpgSome clown is spamming out “Happy New Year” emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn’t seem to be related to the two earlier Metasploit WMF exploits we’ve seen.
The emails have a Subject: “Happy New Year”, body: “picture of 2006″ and contain an exploit WMF as an attachment, named “HappyNewYear.jpg” (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It’s going to get worse.
That unofficial patch is looking like the best preventative measure until there’s an official MS patch out. The unofficial patch is available at this link and it’s been reviewed by (at least) incidents.org and sunbelt. The patch is provided AS IS, no warranties and requires a reboot….
Related PostsRelated Posts
- More on the Windows WMF zero-day exploit There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down,......
- Update on Internet Explorer Zero Day exploit Yesterday I mentioned a SANS report on a possible zero day exploit against Internet Explorer. Today they have more details in the handlers diary. Among other things SANS has issued a patch for it. Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll .......
- WMF exploit virus detection revisited Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was "TheHacker" from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20......
- Breaking the 2 Year Blogging Curse, pt 3. This is the final post in discussing the 2 Year Blogging Curse and ways in which to counter the urge to up and quit. We talked about blogging schedules and grabbing specialty plugins, now weâll focus on four new ideas. Establish a Feature. A feature is not a meme. A......
- WebFusion Webhosting Evaluation Webfusion Webhosting Evaluation Internet host Evaluation - WebFusion WebFusion has 4 diverse hosting plans constructed to accommodate your requirements and aggressive pricing. WebFusion provides webmasters and site owners' fantastic flexibility and just the scale they need to have for his or her internet site. WebFuision is component of your Pipex......
- The Truth About Dividends When most of us hear the word dividends, we think about the easy life, of lying around on the beach while earning an insane amount of money. The cold hard truth is a lot less pretty. Dividends can pay, but unless you've got a lot of money invested, your returns......
- WMF exploit and Windows 98
- WMF exploit unofficial patch
- Windows 98 WMF patch
- Suspicious Emails inderectly leading to virus infection
- WMF vulnerability checker