PDA

View Full Version : New Virus - Windows .WMF format















bitingmidge
3rd January 2006, 10:42 AM
I don't like spreading news of viruses, and usually they turn out to be hoaxes, however the following note has been posted on the Musical Instrument Makers Forum and uploading of pictures has been suspended, so I reckon it's a bit fair dinkum.

May pay to upgrade the virus software chaps, (or get a Mac, or at least use Firefox! :rolleyes: )

Also see Google News (http://news.google.com/news?hl=en&ned=us&ie=UTF-8&ncl=http://www.gcn.com/vol1_no1/daily-updates/37850-1.html)

Cheers,

P (sorry if this is alarmist, but I'd hate us to become victims!)
:rolleyes:


From MIMF.com: sysop - 07:59pm Dec 30, 2005 EST (#1 of 24)
Here's how it works. Evil Hackers insert code that will take over your PC into a WMF image. But we're on guard against Evil Hackers and don't allow uploads of WMF files here. But the Forum software is stupid and believes you when you tell it this WMF file is really a JPG - all you need to do is rename it. So the Forum software accepts it as legal, and here it is below. A WMF image I just renamed. If it displays, your PC will be toast if you actually run into an infected image. Image uploads are suspended until further notice.

RufflyRustic
3rd January 2006, 11:08 AM
Thanks BM! This explains the wierd email I got yesterday from our email virus checker.

cheers
RR

craigb
3rd January 2006, 11:19 AM
This is on the Wikipedia homepage:

http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

Wood Butcher
3rd January 2006, 11:58 AM
That would explain why there was a .wmf file that kept trying to download onto my computer this morning. Thank god for firewalls

bitingmidge
3rd January 2006, 12:05 PM
The really tricky thing seems to be that a .WMF can be disguised with a .JPG rename??

Watch for new trolls bearing images?

P
:eek:

DavidG
3rd January 2006, 09:56 PM
Port 6346 is getting a hammering.
Just started today.
Love these firewalls.

Mine has everything blocked except what I specifically allow.

Real pain though with MS updates.
Have to open some large doors for that to work. They keep changing the server.

Gumby
3rd January 2006, 10:27 PM
Port 6346 is getting a hammering.
Just started today.
Love these firewalls.

Mine has everything blocked except what I specifically allow.

Real pain though with MS updates.
Have to open some large doors for that to work. They keep changing the server.

Port 9339 is getting hit here. :confused:

DavidG
4th January 2006, 11:23 AM
Add port 8701 to the list.

Daddles
4th January 2006, 11:33 AM
Someone's scoffed all my tawny port :D

Richard

Chesand
4th January 2006, 01:16 PM
Comsec (Commonwealth Bank Share Service) have also posted a warning about this virus.

arose62
4th January 2006, 03:37 PM
Seems like a serious one to me!:eek:

The crux of the problem is that the .WMF format is really a collection of instructions to the Windows graphics-drawing code, and this code is allowed to call other Windows code.

Windows looks inside graphics to see if there are any valid instructions, and will decide for itself to treat a .JPG (and possibly others) as a .WMF.

Just viewing an image on a webpage is enough to cause an infection! The image could be a header, a banner, or even a button!

The most promising fix I've seen is to disable a particular library.

Apparently MS haven't produced a patch yet, and *ALL* versions of Windows are vulnerable!

arose62
5th January 2006, 08:56 AM
From the horse's mouth:

http://www.microsoft.com/technet/security/advisory/912840.MSPX

Cheers,
Andrew