Maker tech hub — AI · 3D print · Pi · ESP32 · plus the classic tech archive.

Free ESP32 kit · Books · Network Ninja · Archive

Classic tech archive. From the original averyjparker.com tech blog — historical context; pair with modern guides where noted. Full archive · Maker projects · Network Ninja

Classic tip · Classic

More testing on the second WMF exploit

After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this secon…

Written by

Avery J. Parker

IT veteran, maker educator, and author of Network Ninja, 3D Printing Mastery, and AI Workflow Mastery. Business IT: Diversified Tech Solutions.

After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install against the latest version of the exploit and with each connection to the locally hosted page I got a new random file. After I collected five of these I ran them through virustotal.com to see how well detection has come in just 24 hours.


Unfortunately I don't think things have improved much in the way of detection since this time yesterday. There was only one antivirus program to raise a red flag at each file. "TheHacker 5.9.2.066 01.01.2006 Exploit/WMF" For two of the files this was the only scanning engine to detect it as malware. The other three were a bit more widely detected (McAfee and Bitdefender, then Symantec did fairly well.)

Unfortunately due to the psuedo-random nature of this second exploit, antivirus software will likely be hard pressed to come up with good ways to detect it, but TheHacker, from http://www.hacksoft.com.pe/ (based in Peru), has done a good job at this point of dealing with the task.

As I was finishing up the article, I thought I'd throw one more at it virustotal and for the last one, only Symantec and TheHacker detected.... again good job Hacksoft.