Tool for camouflaging threats in WMFs discovered, informs Panda Software

PandaLabs has detected a tool called WMFMaker being distributed across the Internet. This tool allows malicious WMFs to be generated from any other code, which allows malware to be dropped on user’s systems by exploiting the critical vulnerability in the Windows Meta File process that has not yet been resolved. This vulnerability affects all Windows systems.

This WMF generation kit is designed to be used from the commandline, by including the full path of the tool and of the executable file that will be run if the vulnerability is exploited. By doing this, a file with a .wmf extension is generated under a name that varies between “evil.wmf” and the name of the executable file included inside it.

“The detection of this kit could explain the rapid appearance of very different malware variants that exploit this vulnerability over the last few days,” explains Luis Corrons, director of PandaLabs. “Although vulnerabilities detected in Windows systems are usually quickly exploited, the flexibility of this one and the huge number of potentially affected systems make it much more attractive, and this is why this surprising tool has been created.”

It is worth remembering that due to this vulnerability, the simple act of visiting a website could infect computers, if it contains a malicious WFM, opening the door to Trojans, worms and all types of threats. This vulnerability lies in the way Windows handles WMF (Windows Meta File), so all programs that can process this type of file are affected. These include Internet Explorer, Outlook and Windows Picture and Fax viewer.

In order to protect computer from this threat, as well as ensuring that a malware solution capable of blocking code that can exploit this vulnerability is installed, it is advisable to un-register the DLL associated to this attack, as described at http://www.microsoft.com/technet/security/advisory/912840.mspx. Similarly, although it is not usually recommendable to install patches that are not released by the manufacturer of the product, users might want to install the patch released by Ilfak Guilfanov, a prestigious expert in Windows systems, until the Microsoft patch is available. This patch has been tested and recommended by SANS Internet Storm Center, and is available at: http://handlers.sans.org/tliston/wmffix_hexblog13.exe and
http://www.hexblog.com/security/files/wmffix_hexblog13.exe.

Panda Software’s security solutions proactively detect all the malicious files generated by WMFMaker, such as Exploit/WMF. To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.pandasoftware.com/home/default.asp. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software’s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

For further information about this vulnerability and other computer threats, visit Panda Software’s Encyclopedia.

About PandaLabs

Since 1990, its mission has been to analyze new threats as rapidly as possible to keep our clients save. Several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. To achieve this, they also have the support of TruPreventâ„? Technologies, which act as a global early-warning system made up of strategically distributed sensors to neutralize new threats and send them to PandaLabs for in-depth analysis. According to Av.Test.org, PandaLabs is currently the fastest laboratory in the industry in providing complete updates to users (more info at www.pandasoftware.com/pandalabs.asp).

Don't miss