A new virus that exploits a critical vulnerability in the Windows
Metafile Format (WMF) has been released to the wild and is being
used by malware writers.
Security experts discovered the exploit, which affects versions
of Microsoft's Windows XP and Windows 2003 Web Server. Unlike
many of the larger virus threats that have caused a stir in 2005,
there isn't a patch to plug the flaw.
Exploits with no correcting patch or the knowledge needed to
prevent the attack are called zero-day exploits and are enough to
drive any security administrator crazy. Because there's no patch for
the flaw, workarounds are needed to prevent the spread of the virus
While the WMF exploit uses an unknown mechanism to crack past a
user's computer, its delivery model is all-too-familiar. The only
way, at the time of this report, to get infected with the exploit is
to visit a corrupted Web page hosting a .wmf file using Internet
Explorer (IE), according to security firm iDefense.
That doesn't mean the delivery model won't change, however. The
iDefense advisory notes the exploit's threat will increase
dramatically if attackers are able to get the virus to replicate
through file shares, e-mail or instant messages.
Officials at Microsoft stated they are investigating the reports
of a possible vulnerability and will take the necessary steps to
protect its customers after concluding the investigation.
In the meantime, officials suggest customers follow the
guidelines at Microsoft's Protect Your PC Web site; if customers
suspect their computer's been attacked, they recommend users contact
their local FBI office or post a complaint on the Internet Fraud
Complaint Center Web site.
If you've been hit with the virus, you'll know it. According to
the iDefense advisory, PCs will display clear signs of infection --
changes to the desktop, infection warnings displayed in the taskbar
and degraded system performance.
Ken Dunham, director of iDefense's rapid response team, said it's
unclear yet what exactly the exploit is trying to accomplish.
Discovery in the past 12 hours, he noted, has showed only limited
applications such spyware and adware getting installed on the end
"We don't know if it's fraud-related or whatever," he said.
"Clearly, they're being silently and illegally installed, at a
minimum, for personal profit and they may also involve fraud or
Dunham said the next week will show whether the WMF exploit will
morph into a truly dangerous virus. He predicts the virus will be be
very successful in the short- and long-term and become a popular
exploit of choice against Windows XP in the coming months.
Whether it becomes as popular as Zotob or the other bots this
summer remains to be seen, he said. That depends on whether security
experts are able to get a handle on the vulnerability and the
information gets out to computer users; The first six days will be
"I think the next week is going be the most telling and the most
significant in terms of risk," Dunham said.
Its popularity and success is predicated entirely on whether
Microsoft is able to put out a patch plugging the vulnerability, or
devising a workaround in time and whether end users install the
Microsoft is infamous for the delay between discovery and patch
for vulnerabilities to its software, though the company has released
critical-rated patches outside its monthly "Patch Tuesday" updates
if the threat is serious enough.
For the time being, security experts are recommending some
quick-fix workarounds to keep PCs safe from the WMF exploit.
Secunia recommends users set their IE security level to high
while iDefense recommends administrators lock down WMF files on the
gateway when possible. iDefense also recommends browsing in
non-privileged mode on an operating system other than Windows XP or
Windows Server 2003.