New Virus - Windows .WMF format

[bitingmidge]

I don't like spreading news of viruses, and usually they turn out to be hoaxes, however the following note has been posted on the Musical Instrument Makers Forum and uploading of pictures has been suspended, so I reckon it's a bit fair dinkum.

May pay to upgrade the virus software chaps, (or get a Mac, or at least use Firefox! )

Also see Google News

Cheers,

P (sorry if this is alarmist, but I'd hate us to become victims!)

From MIMF.com: sysop - 07:59pm Dec 30, 2005 EST (#1 of 24)
Here's how it works. Evil Hackers insert code that will take over your PC into a WMF image. But we're on guard against Evil Hackers and don't allow uploads of WMF files here. But the Forum software is stupid and believes you when you tell it this WMF file is really a JPG - all you need to do is rename it. So the Forum software accepts it as legal, and here it is below. A WMF image I just renamed. If it displays, your PC will be toast if you actually run into an infected image. Image uploads are suspended until further notice.

[RufflyRustic]

Thanks BM! This explains the wierd email I got yesterday from our email virus checker.

cheers
RR

[craigb]

This is on the Wikipedia homepage:

http://en.wikipedia.org/wiki/Windows..._vulnerability

[Wood Butcher]

That would explain why there was a .wmf file that kept trying to download onto my computer this morning. Thank god for firewalls

[bitingmidge]

The really tricky thing seems to be that a .WMF can be disguised with a .JPG rename??

Watch for new trolls bearing images?

P
:eek:

[DavidG]

Port 6346 is getting a hammering.
Just started today.
Love these firewalls.

Mine has everything blocked except what I specifically allow.

Real pain though with MS updates.
Have to open some large doors for that to work. They keep changing the server.

[Gumby]

Port 6346 is getting a hammering.
Just started today.
Love these firewalls.

Mine has everything blocked except what I specifically allow.

Real pain though with MS updates.
Have to open some large doors for that to work. They keep changing the server.

Port 9339 is getting hit here. :confused:

[DavidG]

Add port 8701 to the list.

[Daddles]

Someone's scoffed all my tawny port

Richard

[Chesand]

Comsec (Commonwealth Bank Share Service) have also posted a warning about this virus.

[arose62]

Seems like a serious one to me!:eek:

The crux of the problem is that the .WMF format is really a collection of instructions to the Windows graphics-drawing code, and this code is allowed to call other Windows code.

Windows looks inside graphics to see if there are any valid instructions, and will decide for itself to treat a .JPG (and possibly others) as a .WMF.

Just viewing an image on a webpage is enough to cause an infection! The image could be a header, a banner, or even a button!

The most promising fix I've seen is to disable a particular library.

Apparently MS haven't produced a patch yet, and *ALL* versions of Windows are vulnerable!

[arose62]

From the horse's mouth:

http://www.microsoft.com/technet/sec...ry/912840.MSPX

Cheers,
Andrew