Skip navigation.


more win_wmf

| |

Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:

So sdbot05b.jpg gets turned into command.pif

GET /sdbot05b.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 02 Jan 2006 05:24:45 GMT

WMF original exploit files and analysis

These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:

bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52

tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.

Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/

WMF related files

| |

NEW: I recommend reading this site for more defense information.
This thing is really really nasty. I completely destroyed a computer trying to analyse it and am almost done rebuilding it :) Luckily I keep my analysis computers segragated, and you should too!


These files were obtained at and contain all of the related files of the Zero-day IE .wmf exploit. Haven't had time for analysis yet.
Included is a.exe, kl.exe, loaderadv562.exe, ms1.exe, paytime.exe, tool 1 through 5.exe, toolbar.exe, and


| |

NEW: added more related files contributed by seville THANKS!


d5932e0901c0379b8df3f80a137f5910 *xpl.wmf

Scanning -> C:\malware\wmf\vscan\xpl.wmf
[-] File is NON executable..(non MZ)
- Scan Took : 0.0 Seconds

AntiVir Found Trojan/Dldr.WMF.Agent.D
ArcaVir Found nothing
Avast Found Win32:Exdown
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV.C
ClamAV Found Exploit.WMF.A
Dr.Web Found Exploit.MS05-053
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found W32/WMF-exploit
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd




exe sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 win_codred_a.exe
exe md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 *win_codred_a.exe
zip md5sum: 55f9524bbbed7f8ae0850ed01562090b *
info: 4039 Jul 16 2001 win_codred_a.exe

Courtesy:eEye Team
Update: I attached idb that was provided by eEye research team. The idb is fully commented.


exe sha1sum: be4f2b7ca634ce946317acdc54b1423e2f5329ce win_bagle_ai.exe
zip md5sum: 23d344f3b2e5f4dfaa1bdbd56ee39b02 *
exe md5sum: 239644e31ce940a25a8ca907feba0d19 *win_bagle_ai.exe
info: 24010 Jul 20 2004


sha1sum: bdc843c65e6984b35dd26c53e84338ff3982da2d win_welchia.exe

md5sum: 24837f736517f367a11dcb8bd8ed6306 *win_welchia.exe
info: 12800 Feb 13 2005 win_welchia.exe
zip md5sum: 3913187407b74597753f324bb9818ba5 *

Syndicate content