The zero-day vulnerability related to Windows' WMF files first
reported on December 27 is still unpatched by Microsoft. At that
time Trojan downloaders were seen to actively exploit the
vulnerability with fully patched Windows XP SP2 machines.
Windows metafiles are image files used by popular applications
such as Microsoft Word. So far WMF exploits have been typically
used to install spyware and adware although the threat of virus and
worm exploits remain.
Users can be infected simply by visiting a web site with an
image file containing the WMF exploit. Internet Explorer users are
at the greatest risk of automatic infection while Firefox and Opera
browser users are prompted with a question whether they’d like to
open the WMF image or not. They get infected too if they answer ‘
Yes’.
Microsoft and CERT.ORG issued bulletins on the Windows Metafile
vulnerability and also announced a workaround while Microsoft is
creating a patch. Microsoft's confirms that the vulnerability
applies to all the main versions of Windows: Windows ME, Windows
2000, Windows XP and Windows 2003. This means there are hundreds of
millions of vulnerable computers at the moment.
As a precaution, F-Secure recommends administrators to block
access to all WMF files at HTTP proxy and SMTP level. Consumers are
also advised to enable their Windows automatic update system,
reject any emails sent to them with WMF or other dubious-looking
attachments and to ensure that their virus protection is up to
date.
F-Secure Anti-Virus detects the offending WMF files with generic
detection either as PFV-Exploit or Exploit.Win32.IMG-WMF.
Speaking about the case, Chief Research Officer at F-Secure,
Mikko Hypponen said: “So far, we've only seen this exploit being
used to install spyware or fake antispyware and antivirus software
on the affected machines. I'm afraid we'll see real viruses using
this soon. We've seen 70 different versions of malicious WMF files
so far.” Hypponen pointed out that the WMF exploit has been used
with a clear criminal motivation to install spyware and to dupe
ordinary consumers into purchasing fake security products for their
computers:
Until a patch is issued, Hypponen recommended administrators to
filter the following domains at corporate firewalls:
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz
For updates on the WMF vulnerability, please check the F-Secure
Viruslab blog, which broke the news on 28th of December:
http://www.f-secure.com/weblog/
About F-Secure Corporation
F-Secure Corporation is the fastest growing publicly
listed company globally in the antivirus and intrusion prevention industry with
more than 50% revenue growth of antivirus revenues in 2004. F-Secure services
and software protect individuals and businesses against computer viruses and
other threats coming through the Internet or mobile networks. Our award-winning
solutions include antivirus and desktop firewall with intrusion prevention,
antispam and antispyware solutions. Our key strength is our proven speed of
response to new threats. For businesses our solutions feature a centrally
managed and well integrated suite of solutions for workstations and servers
alike. Focused partners offer security as a service for those companies that do
not wish to build security expertise in-house. Founded in 1988, F-Secure has
been listed on the Helsinki Exchanges since 1999. We have our headquarters in
Helsinki, Finland, and offices in France, Germany, Italy, Japan, Norway,
Singapore, Sweden, the United Kingdom and USA. F-Secure is supported by a global
ecosystem of service partners, value added resellers and distributors in over 50
countries. F-Secure protection is also available through mobile handset
manufacturers such as Nokia and as a service through major Internet Service
Providers, such as Deutsche Telekom, France Telecom and Charter Communications.
The latest real-time virus threat scenario news are available at the F-Secure
Antivirus Research Team weblog at
http://www.f-secure.com/weblog/
For further information, please contact:
F-Secure Corporation
Mikko Hypponen,
Chief Research Officer
PL 24
FIN-00181 Helsinki
Gsm +358 400 648 180
