WMF exploit now spreading via IM

December 31st, 2005

An [tag]IM worm[/tag] is now using the [tag]WMF[/tag] exploit.  According to Kaspersky Labs it's not spreading fast as of yet but that could all change.

We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as [tag]Exploit.Win32.IMG-WMF[/tag] by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an [tag]IM-Worm.Win32.Kelvir[/tag] variant. As you will know Kelvir is responsible for spreading across MSN.  Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.

You might also want to avoid sending and receiving New Year e-cards too ...

I'm afraid we have to end this year with the warning to watch out for any unknown imagefile. With the flurry of e-cards and Happy New Year messages this could get really messy, so be careful.

F-Secure has also picked up on this.

More information on Security Fix

This entry was posted on Saturday, December 31st, 2005 at 20:05 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “WMF exploit now spreading via IM”

  1. bukan blog, dan bukan blogger: [email protected] » ancaman baru di 2006 - WMF vulnerability Says:

    [...] References: http://blogs.washingtonpost.com/securityfix/2005/12/new_exploit_for.html http://www.pcdoctor-guide.com/wordpress/?p=2062 http://www.microsoft.com/technet/security/bulletin/MS05-053.mspx http://www.microsoft.com/technet/security/advisory/912840.mspx http://en.wikipedia.org/wiki/2005_WMF_vulnerability [...]