myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

MS06-001: Womble Worm - WMF Exploit

Most exploit attacks have recently been the spammed trojan horse variety.  This new MS06-001 WMF-exploit based attack is a true worm that can replicate among vulnerable PCs if the user clicks on the infected attachments.

MS06-001: Womble Worm - WMF Exploit
http://vil.nai.com/vil/content/v_140497.htm
http://www.sophos.com/security/analyses/w32womblea.html

W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread. It may arrive as a ZIP archive or as a file using the following file extension: JPG.WMF.  W32/Womble@MM uses it's own SMTP engine to send out the messages.

It generates the email as follows:

---- EMAIL TO BLOCK OR AVOID ----

From: (Spoofed email sender)

Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect.

Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg

Files with .ZIP extensions are just the copy of the worm itself.  Those files with wither .JPG and .WMF extensions contain the Exploit-WMF  as well as the worm

Published Aug 29 2006, 04:16 PM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems