Weekly Report on Viruses and Intruders – WMFMaker, Gaobot.LTL and Mytob.MF

WMFMaker is a program for creating WMF (Windows MetaFile) images that exploit a critical vulnerability in Graphics Rendering Engine. This vulnerability lies in how Windows 2003/XP/2000/Me/98 handles WMF (Windows Meta File), and therefore, all applications that handles this type of file are affected, such as Internet Explorer and Microsoft Outlook. WMFMaker can be used to create images that run any type of malicious code – Trojans, worms or any other type of malware- in the computer affected by this security flaw.

WMFMaker is designed to be used from the command line, by including the full path of the tool and of the executable file that will be included in the WMF and run if the vulnerability is exploited. By doing this, a file with a .wmf extension is generated under a name that varies between “evil.wmf” and the name of the executable file included inside it.

Malicious WMF images created by WMFMaker can be distributed through different means, such as housing it in a web page and persuading users to visit it. If the victim uses Internet Explorer, when accessing the malicious web page arbitrary code can be run automatically. However, if a different browser is used, the user will be warned that the file will be downloaded.

Until Microsoft releases the patch to fix this vulnerability, as well as ensuring that anti-malware solutions capable of blocking code that exploits this flaw are installed, users are advised to adopt a series of other security measures including the following:

· Read email messages in Plain Text.

· Don’t click on links received via email or instant messaging from unknown senders.

· If you have Windows XP installed, enable DEP (Data Execution Prevention).

The second threat in this week’s report is Gaobot.LTL, a worm that spreads through the following means: email; Internet, by exploiting the LSASS, RPC DCOM, WebDAV and UPnP vulnerabilities; computer networks; using peer-to-peer (P2P) file sharing programs; AOL Instant Messenger (AIM) and IRC.

Gaobot.LTL connects to several IRC servers to receive remote control commands (such as stealing passwords from the computer, launching Denial of Service attacks, scanning IP addresses, etc.). It also prevents users from accessing the websites of IT security companies and as a result, antivirus programs might not be able to update, leaving the computer vulnerable to other malware.

This week’s report closes with Mytob.MF, a mass-mailing worm that reaches computers in a message with variable characteristics containing an attached file called Abuse_Seport.zip. This worm uses social engineering techniques to spread to as many computers as possible. To be more specific, the message carrying this worm passes itself off as a message from a complaints department and accuses recipients of carrying out illegal activity from their computers.

When the Abuse_Seport.zip file it is decompressed and run, it is installed on the computer and carries out various actions, such as looking for email addresses in certain files on the computer to which it sends a copy of itself. It also ends the processes belonging to different security programs running in memory and prevents the user from accessing web pages belonging to antivirus companies, among others.