Be careful with WMF files

Over the last 24 hours, we’ve seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit .A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

   Crackz [dot] ws
   unionseek [dot] com
   www.tfcco [dot] com
   Iframeurl [dot] biz
   beehappyy [dot] biz

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

   Registrant Name: Mikhail Sergeevich Gorbachev
   Registrant Address1: Krasnaya ploshad, 1
   Registrant City: Moscow
   Registrant Postal Code: 176098
   Registrant Country: Russian Federation
   Registrant Country Code: RU

“Krasnaya ploshad” is the Red Square in Moscow…

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

or just use linux…


i’m taking the incense part of Hybrid Elephant to the Fremont Sunday Market this sunday, which means that i’ve been putting everything into reasonably easy to move containers (15 of them), double-checking my inventory and printing out retail price labels – which lead me to the discovery that i’m down to my last ream of printer paper, and i’ve got to get more soon. i bought a calculator with a print function, and now i have to figure out how to make it print, and program it with the proper numbers so that it will automatically add the correct amount of sales tax. that’s one advantage to doing business over internet that selling locally won’t have: most of my customers are out-of-state, so i don’t have to worry about adding state sales tax.

meanwhile, today is the first fremont philharmonic rehearsal. supposedly we’ve got a gig on the 21st, and we also have to start rehearsing for the moisture festival.