Slashdot Mirror

← Back to Stories (view on slashdot.org)

New IM Worm Exploiting WMF Vulnerability

Posted by CmdrTaco on from the happy-new-years-windows-users dept.

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

7 of 360 comments (clear)

  1. temporary fixes by Phil246 · · Score: 5, Informative

    There is information available on temporary fixes from the following sites
    http://isc.sans.org/diary.php?rss&storyid=996
    http://www.f-secure.com/weblog/#00000760
    http://www.grc.com/sn/notes-020.htm

    be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
    NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

  2. Re:MSN? by sucker_muts · · Score: 5, Informative

    You MUST mean MSN Messenger.

    Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
    It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.

    --
    Dependency hell? => /bin/there/done/that
  3. Re:How do I avoid it? Fixes? by Anonymous Coward · · Score: 5, Informative

    See discussion list at
    http://www.aota.net/forums/showthread.php?p=143053
    also check out FSecure's blog:
    http://www.f-secure.com/weblog/

  4. Most importantly: THERE IS A FIX by FhnuZoag · · Score: 5, Informative

    It's unofficial, but it works.

    http://www.hexblog.com/2005/12/wmf_vuln.html

  5. Re:How do I avoid it? Fixes? by R3NZ · · Score: 5, Informative

    There seems to be a first fix.

    There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html

    The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm

  6. Re:It's worse than that by borderpatrol · · Score: 5, Informative

    I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

    I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

    We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

    I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

    I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.
  7. Re:so... by borderpatrol · · Score: 5, Informative
    ...Because it's a simple image. Who would think that an image can deliver such a nasty payload? It doesn't need any user interaction. This blows right through fully patched copies of windows, and IE opens and executes it automatically (video here - http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv)

    Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.

    Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.

    --
    Yeah I've been starving them, teasing them, singing off key. Me may mah mo, me mo ma me.