MoMusings

Further disclosures on the WMF vulnerability and the increasing use of the exploit by malware; this just in from Kaspersky:

“We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to “http://[snip]/xmas-2006 FUNNY.jpg”.
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.”

So, another of my predictions contained in my original posting of the WMF problem was spot on. Be very suspicious of instant messages that contain links, even, and let me make this very clear, even if they come from someone you know as many IM worms will send such links to everyone that exists on the infected systems buddy list.

More Mitigation Solutions:
As suggested by some of the ‘wags’ out there, you can use Linux, FreeBSD or any other *NIX based system as a solution as they are not vulnerable to this exploit or the malware that are using it. The same goes for Mac OSX [which is based on BSD]. But you already knew that didn’t you?

Another option, for the brave, paranoid or those that like to visit the greyer areas of the ‘net is described on the F-Secure lab weblog :

“Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.“

The fix is available here: http://www.hexblog.com/2005/12/wmf_vuln.html

It appears that the problem [vulnerability] may not be limited or ‘rooted’ in the ’shimgvw.dll’ as suggested by Microsoft, as according to some sources you can still get infected even if this is unregistered and even if the file is deleted.

If you look at the data from F-Secure on the fix offered by IIfak you will see that this patches ‘gdi32.dll’, not ’shimgvw.dll’…..the plot thickens!

And on that note, as this is probably my last post of 2005, I would like to wish you all a very happy new year!