Skip navigation.
Home

WMF original exploit files and analysis

These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:

bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52

tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.

Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/

I've also attached C code that I obtained by fine art of reverse engineering :)

AV scan results:

bumXXX.exe

AntiVir Found Trojan/Dldr.Small.ccm
ArcaVir Found Trojan.Downloader.Small.Ccm
Avast Found nothing
AVG Antivirus Found Downloader.Generic.MYI
BitDefender Found Trojan.Downloader.Small.CCM
ClamAV Found nothing
Dr.Web Found Trojan.MulDrop.3173
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.ccm
NOD32 Found Win32/TrojanDownloader.Small.CCM
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan.MulDrop.3173

tioXXX.dll

AntiVir Found Trojan/Dldr.Small.ccm.2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Small.CCM
ClamAV Found nothing
Dr.Web Found Trojan.Fakealert
F-Prot Antivirus Found nothing
Fortinet Found W32/Small.CCM!tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.ccm
NOD32 Found Win32/TrojanDownloader.Small.CCM
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.ccm

Where execution flow changes

This is where the execution flow leaves explorer.exe and enters the payload:

> gdi32.dll!_CommonEnumMetaFile@16() + 0xf4b9 bytes
gdi32.dll!_PlayMetaFile@8() + 0x14 bytes
GdiPlus.dll!GetEmfFromWmfData() + 0x13f bytes
GdiPlus.dll!GetEmfFromWmf() + 0x53 bytes
GdiPlus.dll!MetafilePlayer::`scalar deleting destructor'() + 0x38f bytes
GdiPlus.dll!GpMetafile::InitStream() + 0x30 bytes
GdiPlus.dll!GpMetafile::GpMetafile() + 0x28 bytes
GdiPlus.dll!GpImage::LoadImageW() + 0x1e bytes
GdiPlus.dll!_GdipLoadImageFromStreamICM@8() + 0x24 bytes
shimgvw.dll!Gdiplus::Image::Image() + 0x23 bytes
shimgvw.dll!CImageData::Decode() + 0x6c bytes
shimgvw.dll!CGdiPlusThumb::Extract() + 0x5c bytes
shell32.dll!CGetThumbnailTask::RunInitRT() + 0x14d bytes
shell32.dll!CRunnableTask::Run() + 0x4c bytes
browseui.dll!CShellTaskScheduler_ThreadProc() + 0x82 bytes
shlwapi.dll!ExecuteWorkItem() + 0x1d bytes
ntdll.dll!_RtlpWorkerCallout@16() + 0x65 bytes
ntdll.dll!_RtlpExecuteWorkerRequest@12() + 0x1a bytes
ntdll.dll!_RtlpApcCallout@16() + 0x11 bytes
ntdll.dll!_RtlpWorkerThread@4() + 0x16ebc bytes
kernel32.dll!_BaseThreadStart@8() + 0x37 bytes

Disassembly of gdi32.dll part where execution switches:

77F333FE push ebx
77F333FF push edi
77F33400 call eax //--- here
77F33402 test eax,eax
77F33404 jne _CommonEnumMetaFile@16+234h (77F2593Fh)

EAX points to data in the file (0x90 0x90 0x90 0x90 0xEB 0x10 0x5E 0x33 0xC9 ...)

(obtained by editing the wmf_exp.wmf to insert a debug breakpoint at those NOPs)

good work guys

This is cool stuff. Anyone have snort signatures?

V.

the ones at bleeding-snort

the ones at bleeding-snort have gone through a few revisions..

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_WMF_Exploit

to reply to myself

but as HDM will tell you... don't expect much from those

http://www.metasploit.com/archive/framework/msg00758.html

be carefull if have Google desktop installed

I just saw a posting talking about machines used to analyze the malware getting infected even when in DOS (using WGET to pull down for example). Turns out that the indexing that Google Desktop performs reads in data from that infected file and boom the machine is compromised.

They say to turn off all indexing (Microsoft, Google Desktop, etc).

Oh also, saw BleedingSnort released even newer Snort rule - http://www.bleedingsnort.com/article.php?story=2005122822382362

Just thought would warn fellow malware analyzers.

unofficial patch

Ilfak "IDA" Guilfanov released an unofficial patch, with source code included:

http://www.hexblog.com/2005/12/wmf_vuln.html

It uses AppInit_DLLs for injection, therefore it requires a reboot.

Anyone want to modify it so that it injects into all active processes dynamically, or use NtSetSystemInformation for hot-patching "mov edi, edi" prologue? :D