Skip navigation.
Home

WMF related files

| |

NEW: I recommend reading this site for more defense information.
http://www.f-secure.com/weblog/
This thing is really really nasty. I completely destroyed a computer trying to analyse it and am almost done rebuilding it :) Luckily I keep my analysis computers segragated, and you should too!

V.-------------------

These files were obtained at CastleCops.com and contain all of the related files of the Zero-day IE .wmf exploit. Haven't had time for analysis yet.
Included is a.exe, kl.exe, loaderadv562.exe, ms1.exe, paytime.exe, tool 1 through 5.exe, toolbar.exe, and
xpladv562.wmf.

These files were collected as the result of an infection contracted on 25Dec2005.

A visit to http://teen.b0x.com was redirected to another site (sorry, don't have URL) where a download box opened for xpladv562.wmf. I placed that file into a folder on my system \downloads\suspect\ but never opened it. While preparing to right click the file to check properties it closed the explorer window and there was an immediate NIS firewall alert for \documents and settings\{uname}\temp\a.exe. Access was denied.

a.exe was submitted to jotti and found to be infected. Another attempt was made to submit the original file but as soon as it was selected Firefox closed and another firewall alert appeared for \program files\mozilla\firefox\a.exe. That access was also denied.

An attempt was then made to upload the file to jotti in safe mode using Internet Explorer. This resulted in IE closing and a third firewall alert for \desktop\a.exe.

a.exe was easily deleted using right click/delete.

xpladv562.wmf was removed by sending the entire \suspect\ folder to recycle.

Subsequent scanning revealed the following files:

\windows\kl.exe (0 bytes)
\windows\ms1.exe (0 bytes)
\windows\toolbar.exe (0 bytes)
\windows\tool1.exe (0 bytes)
\windows\tool2.exe (0 bytes)
\windows\tool3.exe (0 bytes)
\windows\tool4.exe (0 bytes)
\windows\tool5.exe (0 bytes)
\windows\system32\paytime.exe (0 bytes)
\documents and settings\{uname}\local settings\temporary internet files\contentIE5\{profile}\loaderadv562[1].exe (7 kb)
Note: This last file was detected by both Ewido and KAV but the \contentIE5\ folder and all contents were hidden even with "view hidden and system files" selected.

dfdf2705445401a059e82ae159acec0b *a.exe
d41d8cd98f00b204e9800998ecf8427e *kl.exe
dfdf2705445401a059e82ae159acec0b *loaderadv562[1].exe
d41d8cd98f00b204e9800998ecf8427e *ms1.exe
d41d8cd98f00b204e9800998ecf8427e *paytime.exe
a39c1c0de611deb6d761034e7d209016 *readme.txt
d41d8cd98f00b204e9800998ecf8427e *tool1.exe
d41d8cd98f00b204e9800998ecf8427e *tool2.exe
d41d8cd98f00b204e9800998ecf8427e *tool3.exe
d41d8cd98f00b204e9800998ecf8427e *tool4.exe
d41d8cd98f00b204e9800998ecf8427e *tool5.exe
d41d8cd98f00b204e9800998ecf8427e *toolbar.exe
36a67b7bc268b78e797011cf22147c4b *xpladv562.wmf.evil

-=[ ProtectionID v5 ]=- (c) CdKiller
Build 14-12-2004....
> Ready
Scanning -> C:\malware\wmf\sample\a.exe
File Type : Exe, Size : 6638 (019EEh) Bytes
-> File has 5614 (015EEh) bytes of appended data starting at offset 0400h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.953 Seconds

Scanning -> C:\malware\wmf\sample\kl.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\loaderadv562[1].exe
File Type : Exe, Size : 6638 (019EEh) Bytes
-> File has 5614 (015EEh) bytes of appended data starting at offset 0400h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.953 Seconds

Scanning -> C:\malware\wmf\sample\ms1.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\paytime.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\tool1.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.984 Seconds

Scanning -> C:\malware\wmf\sample\tool2.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\tool3.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\tool4.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\tool5.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\toolbar.exe
[x] Error - File is 0 bytes.. skipped
- Scan Took : 0.0 Seconds

Scanning -> C:\malware\wmf\sample\xpladv562.wmf.evil
[-] File is NON executable..(non MZ)
- Scan Took : 0.0 Seconds

thanks

thanks for the submission, I added a few things, keep em comin!

V.

FIX

How funny is this WMF file format! After studying a bit I developed a fix:

http://www.hexblog.com

It does not disable any functionality in the system as far as I know but I haven't tested it throughly. As some guys say 'it works for me' but you may try it too if you want.

In the worst case you will need to uninstall it and wait for Microsoft to develop a real one.

you developed the fix?

I thought it was a guy called 'Guilfanov' who developed this fix.

--
Ian Kenefick
http://www.ik-cs.com

Careful with this one

Would suggest disabling Picture and Fax viewer if you're going to play with this one:

regsvr32 /u shimgvw.dll

It's far too easy to get nailed (don't ask!). BTW, the trojan downloader downloads and installs SpySheriff.

break other application

It's will break other application as well paint etc..
agree fast solution is to prevent this is to unload shimgvw.dll

however i think for better solution is for Microsoft to patch this dll
and update their client..

arcoding to wormradar over 58 wmf exploit variants has been tracked.

MS Advisory

Well, MS has released an advisory:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Lets see how quickly they're able to get a patch out. It's only a matter of time before some idiot starts using this exploit to spread something really malicious.