Tool for camouflaging threats in WMFs discovered..
Tool for camouflaging threats in WMFs discovered..
1/2/2006. The tool WMFMaker generates malicious WMFs that try to exploit the unresolved vulnerability in Windows systems
Malicious users can use this tool to exploit the vulnerability and distribute any type of malicious code; Trojans, worms or any other type of malware
Panda Software’s security solutions proactively detect all the malicious files generated by WMFMaker, such as Exploit/WMF
PandaLabs has detected a tool called WMFMaker being distributed across the Internet. This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user’s systems by exploiting the critical vulnerability in the Windows Meta File process that has not yet been resolved. This vulnerability affects Windows 98, Windows 98SE, Windows ME, Windows 2000 SP4, Windows XP SP1, Windows XP SP2, Windows XP x64 Edition, Windows 2003 and Windows 2003 SP1 versions Itanium and x64.
This WMF generation kit is designed to be used from the commandline, by including the full path of the tool and of the executable file that will be run if the vulnerability is exploited. By doing this, a file with a .wmf extension is generated under a name that varies between ˝evil.wmf˝ and the name of the executable file included inside it.
“The detection of this kit could explain the rapid appearance of very different malware variants that exploit this vulnerability over the last few days,” explains Luis Corrons, director of PandaLabs. “Although vulnerabilities detected in Windows systems are usually quickly exploited, the flexibility of this one and the huge number of potentially affected systems make it much more attractive, and this is why this surprising tool has been created.”
It is worth remembering that due to this vulnerability, the simple act of visiting a website could infect computers, if it contains a malicious WFM, opening the door to Trojans, worms and all types of threats. This vulnerability lies in the way Windows handles WMF (Windows Meta File), so all programs that can process this type of file are affected. These include Internet Explorer, Outlook and Windows Picture and Fax viewer.
In order to protect computer from this threat, as well as ensuring that a malware solution capable of blocking code that can exploit this vulnerability is installed, it is advisable to un-register the DLL associated to this attack, as described at http://www.microsoft.com/technet/security/advisory/912840.mspx. Similarly, although it is not usually recommendable to install patches that are not released by the manufacturer of the product, users might want to install the patch released by Ilfak Guilfanov, a prestigious expert in Windows systems, until the Microsoft patch is available. This patch has been tested and recommended by SANS Internet Storm Center, and is available at: http://handlers.sans.org/tliston/wmffix_hexblog13.exe and
http://www.hexblog.com/security/files/wmffix_hexblog13.exe .
Panda Software’s security solutions proactively detect all the malicious files generated by WMFMaker, such as Exploit/WMF. To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.pandasoftware.com/home/default.asp . Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters .
Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software´s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.
For further information about this vulnerability and other computer threats, visit Panda Software´s Encyclopedia.
About PandaLabs
Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPrevent™ Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at www.pandasoftware.com/pandalabs.asp ).
Oxygen3 24h-365d, by Panda Software
© Panda Software 2003
- Microsoft revamps Bing to include interactive social sidebar
The three-column interface also includes a ´snapshot´ for more direct interaction with products and places.
- Adobe Creative Cloud Now Available
Two New Touch Apps for iOS and Adobe Muse Also Shipping
- Acer G6 series - Super-slim design, inspiring performance
- Come Explore the VIA Smart Ecosystem at Computex 2012
- HP tries to beat ultrabook pricing with thin-and-light Sleekbooks
- MasterCard´s PayPass Wallet will span online, mobile, in-store shopping
- Google infringed Java copyrights in Android, jury finds
- After false alarm, no verdict Friday in Oracle Google
- Lenovo building industrial center to develop tablets, smartphones
- Facebook´s valuation for IPO will be lower than initially expected
Member of IVSZ
Member of SZEK
Acer Affinity Gold partner
Dell Registered Partner
OKI System Shinrai Partner
XEROX Viszonteladó
APC megbízható szállító
EATON Authorized Partner
Cisco partner
Symantec Software Partner
ESET Partner
FUJITSU partner
LENOVO Premium Partner
IBM Business Partner
PARTNERS: Computerworld.hu | GameStar.hu | PCWorld.hu | SG.hu | PC Guru | Hitel