0 Members and 1 Guest are viewing this topic.
Current recommendations for Malicious WMF Exploits in-the-wild1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible. For example, McAfee users should install DAT 4661 or higher immediately2. Stay away from all questionable websites. Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).3. Filter and block WMF files in email or content filtering systems in the corporate environment.4. Don't rely just on the WMF extension. Windows metadata processing can process a disguised and renamed extension. For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.5. As an extra safety precaution, you can turn off the vulnerable DLL. The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off. Another option might be to turn off the shimgvw.dll service completely. Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected. Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.
The amount of trojans using the zero-day WMF exploit is increasing rapidly.
A new exploit has been released for the Windows WMF vulnerability. The exploitis embedded in image files with a .jpg extension and which are designed to makedetection with IDS more difficult. At the time of release this exploit was notdetectable by anti-virus software although signatures are now being released.There are further reports that this exploit has been used to constructmalicious emails that have been spammed out. F-Secure have given the followingdetails for this email: Subject: Happy New Year Body: "picture of 2006" Attachment: HappyNewYear.jpg (MD5: DBB27F839C8491E57EBCC9445BABB755) When the HappyNewYear.jpg is accessed (i.e. the file is opened, a folder containingthe file is viewed, or the file is indexed by, for example, Google Desktop), itexecutes and downloads a Bifrose variant from www[dot]ritztours.com.