Be careful with WMF files

Over the last 24 hours, we’ve seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit .A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

   Crackz [dot] ws
   unionseek [dot] com
   www.tfcco [dot] com
   Iframeurl [dot] biz
   beehappyy [dot] biz

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

   Registrant Name: Mikhail Sergeevich Gorbachev
   Registrant Address1: Krasnaya ploshad, 1
   Registrant City: Moscow
   Registrant Postal Code: 176098
   Registrant Country: Russian Federation
   Registrant Country Code: RU

“Krasnaya ploshad” is the Red Square in Moscow…

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

or just use linux…

11 thoughts on “792”

  1. Well, I have now deleted it from my computer, and it is running better already. I need to restart though, just in case. Thanks for the tip.

  2. maybe it’s just as well that i couldn’t get the kubuntu iso that i downloaded to fit on the 700mb disk that it was supposed to be burned on… 8/

  3. you’re using ubuntu, right? and it doesn’t come with sendmail installed by default?
    Yep, Ubuntu Dapper Drake. And if it does, Apache didn’t know where it was. I thought sendmail came with Apache so I clicked on the form I was developing and it did all the other stuff it was supposed to do but didn’t send along the mail to me.

    So I installed sendmail and now every time I boot up it goes to the non-gui bootup screen, hems and haws around, and finally tells me that something’s wrong and sendmail isn’t running. But… when I go in and test out my code it sends the mail. *shrug* It just takes a LOOOOOONG time to do so.

    And it’s eating RAM because it’s listening to port 25 for incoming mail all the time. I wonder if there’s any other mail server that Apache and PHP will recognize but isn’t quite as large and recalcitrant.

    I think I’m also going to try and figure out how to keep Apache, sendmail, et. al. from firing up on bootup. I only need Apache when I’m developing something webbish and I only need sendmail when the dev job includes sending out mail. I’d like to be able to fire it up and kill it at will, like I did on Windoze with Abyss web server. I also got Abyss for Linux but it was giving me a bit of grief so I moved to Apache.


  4. yes, WMF = Windows Media File

    How important is it that I get rid of Google Desktop?

    i don’t know how important it is because i have been suspicious about google for a while now, and don’t use it at all, but if what they are saying here is any indication, google desktop is facilitating your infection, if not being a direct cause of it, so it would be my impression that getting rid of it is pretty important.

  5. Oh huzzah! Another reason to feel good about sitting here at my Linux box. And I need one right now cuz my real audio seems to have gone south and installing sendmail (so’s I can test some code I’m writing for my site) is choking hell out of the poor little box.

    I don’t really like real audio that much, but it’s the only way to listen to stuff at redhotjazz.com. *pout*


  6. I am going to go ahead and ask the question, even if it means I’ll look dumb: what is a WMF file? Windows Media? If so, that is a problem, ’cause I use a lot of ’em.

    How important is it that I get rid of Google Desktop? I just installed it, and frankly it has been pissing me off. I’ve thought of getting rid of it, anyway, ’cause when it’s indexing, it really slows the computer down.

    I am going to block the sites you mention, just in case.

  7. it’s one of the things… i used to be a professional bug-finder, but i gave it up after my brain exploded. now i find bugs as a hobby.

  8. A Friend who is an asset!

    Bonus for me!

    Thanks for the 4-1-1.

    Is this what you do for a living – play with bugs?

  9. Thanks for that heads-up.

    No worries here at home. (Linux) But I’m kinda the entire IT department (among other things) for a bunch of engineers, all with admin rights on their own networked machines.

    Although after reading your post I did a little looking around, and in the process I remembered applying the “unofficial patch” to my laptop some time ago.

    Still, I think I’ll block those listed sites on the firewall just the same.

Comments are closed.