Exploit-WMF

This page shows details and results of our analysis on the malware Exploit-WMF

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2005-12-28

Description Modified

2006-01-05

Malware Proliferation

Characteristics

-- January 5, 2006 --
Microsoft has released a patch for the vulnerability attacked by Exploit-WMF, see: http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

-- January 3, 2006 --
Exploit-WMF detection was enhanced in today's DAT release, version 4666, to proactively protect against exploits that may use slightly different WMF properties. As always, McAfee AVERT urges customers to update to the latest DAT files.

To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems.

A kit program was recently discovered, which is believed to be responsiable for the first wave of Exploit-WMF files.  It's known as the WMFMaker  trojan.

-- December 31, 2005 --
Source code for a tool that creates Exploit-WMF files has been posted to the web.  This source creates malicious WMF files that exploit the vulnerability in a slightly different way than previous ones.  While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code.  The updated detection has been released in the 4664 DAT files.

-- Update 1 --
An email message containing an Exploit-WMF sample built from this new code has been spammed.  The message appears as follows:

Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)

The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours.com.

-- Update 2 --
Due to the serious nature of the WMF vulnerability and recent discovery of new exploit code, the 4664 DAT files were released out of cycle to detect these new Exploit-WMF samples.

-- December 28, 2005 --
Microsoft has posted information on this vulnerability:

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/912840.mspx

-- December 27, 2005 --
A 0-day vulnerability was discovered on December 27, 2005.  Exploit WMF files are currently being hosted on 2 known web sites.  The exploit code attacks a vulnerability in the way in which Windows handles Windows Meta Files resulting in the execution of arbitrary code.

Known exploit files will be detected and blocked with the 4661 DAT files or newer.

The 2 known exploits download a trojan identified as Downloader-ASE with the 4660 DAT files, and Generic Downloader.q with the 4661 DAT files.

Symptoms

Vary.  This detection covers WMF files attempting to exploit a Windows vulnerability.  This can result in arbitrary code execution; meaning that any number of events may subsequently take place on a compromised system.

Method of Infection

This threat is likely to be delivered when viewing a website hosting the malicious code.

Removal

Microsoft released a patch for the vulnerability targeted by this exploit.  See: http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

McAfee DAT Files
The current DAT files contain detection of threats attempting to exploit this vulnerability.

McAfee Entercept
McAfee Entercept blocks code execution as a result of the buffer overflow.

McAfee VirusScan Enterprise 8.0i / Managed VirusScan
McAfee VirusScan Enterprise 8.0i blocks code execution as a result of the buffer overflow if the malicious file is opened in Internet Explorer or Windows explorer.  Exploit files may be downloaded by Internet Explorer, rather than being rendered by IE, and subsequently launched by internal applications thus by passing VSE8.0i/MVS buffer overflow protection in this scenario.

Variants