Panda Software Discovers Tool for Camouflaging Threats in WMFs

Jan. 6, 2006
PandaLabs has detected a tool called WMFMaker being distributed across the Internet. (Ed. Note: Microsoft issued fix #KB912919 for Windows XP on Jan. 6, 2006.)

PandaLabs has detected a tool called WMFMaker being distributed across the Internet. (Ed. Note: Microsoft issued fix #KB912919 for Windows XP on Jan. 6, 2006.) This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user's systems. It then exploits the critical vulnerability in the Windows Meta File process that has not yet been resolved. This vulnerability affects all Windows systems.

This WMF generation kit is designed to be used from the commandline, by including the full path of the tool and of the executable file that will be run if the vulnerability is exploited. By doing this, a file with a .wmf extension is generated under a name that varies between "evil.wmf" and the name of the executable file included inside it.

"The detection of this kit could explain the rapid appearance of very different malware variants that exploit this vulnerability over the last few days," explains Luis Corrons, director of PandaLabs. "Although vulnerabilities detected in Windows systems are usually quickly exploited, the flexibility of this one and the huge number of potentially affected systems make it much more attractive, and this is why this surprising tool has been created."

It is worth remembering that due to this vulnerability, the simple act of visiting a website could infect computers, if it contains a malicious WMF, opening the door to Trojans, worms and all types of threats. This vulnerability lies in the way Windows handles WMF (Windows Meta File), so all programs that can process this type of file are affected. These include Internet Explorer, Outlook and Windows Picture and Fax viewer.

To protect computers from this threat, as well as ensuring that a malware solution capable of blocking code that can exploit this vulnerability is installed, it is advisable to un-register the DLL associated to this attack, as described at www.microsoft.com/technet/security/advisory/912840.mspx. Similarly, although it is not usually recommended to install patches that are not released by the manufacturer of the product, users might want to install the patch released by Ilfak Guilfanov, a prestigious expert in Windows systems, until the Microsoft patch is available. This patch has been tested and recommended by SANS Internet Storm Center, and is available at: >a href="http://handlers.sans.org/tliston/wmffix_hexblog13.exe">handlers.sans.org/tliston/wmffix_hexblog13.exe and www.hexblog.com/security/files/wmffix_hexblog13.exe.

Voice your opinion!

To join the conversation, and become an exclusive member of T&D World, create an account today!