This is going to be a rough start to the new year for IT staff and computer users….
There’s coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there’s a someone spamming emails to tons of addresses with a specially crafted image (uses the WMF exploit.) It’s also a slightly different variant of the exploit.
According to f-secure….
HappyNewYear.jpgSome clown is spamming out “Happy New Year” emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn’t seem to be related to the two earlier Metasploit WMF exploits we’ve seen.
The emails have a Subject: “Happy New Year”, body: “picture of 2006″ and contain an exploit WMF as an attachment, named “HappyNewYear.jpg” (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It’s going to get worse.
That unofficial patch is looking like the best preventative measure until there’s an official MS patch out. The unofficial patch is available at this link and it’s been reviewed by (at least) incidents.org and sunbelt. The patch is provided AS IS, no warranties and requires a reboot….
Related PostsRelated Posts
- WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
- More on the Windows WMF zero-day exploit There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down,......
- WMF exploit through indexing software One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once......
- The Truth About Dividends When most of us hear the word dividends, we think about the easy life, of lying around on the beach while earning an insane amount of money. The cold hard truth is a lot less pretty. Dividends can pay, but unless you've got a lot of money invested, your returns......
- WebFusion Webhosting Evaluation Webfusion Webhosting Evaluation Internet host Evaluation - WebFusion WebFusion has 4 diverse hosting plans constructed to accommodate your requirements and aggressive pricing. WebFusion provides webmasters and site owners' fantastic flexibility and just the scale they need to have for his or her internet site. WebFuision is component of your Pipex......
- Breaking the 2 Year Blogging Curse, pt 3. This is the final post in discussing the 2 Year Blogging Curse and ways in which to counter the urge to up and quit. We talked about blogging schedules and grabbing specialty plugins, now weâll focus on four new ideas. Establish a Feature. A feature is not a meme. A......
- WMF exploit and Windows 98
- WMF exploit unofficial patch
- Windows 98 WMF patch
- Suspicious Emails inderectly leading to virus infection
- WMF vulnerability checker