Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ms06-001: Womble Worm - Wmf Exploit


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:37 AM

Posted 29 August 2006 - 10:44 AM

Most exploit attacks have recently been the spammed trojan horse variety. This new MS06-001 WMF-exploit based attack is a true worm that can replicate among vulnerable PCs if the user clicks on the infected attachments.

MS06-001: Womble Worm - WMF Exploit
http://vil.nai.com/vil/content/v_140497.htm
http://www.sophos.com/security/analyses/w32womblea.html

W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread. It may arrive as a ZIP archive or as a file using the following file extension: JPG.WMF. W32/Womble@MM uses it's own SMTP engine to send out the messages.

It generates the email as follows:

EMAIL TO BLOCK OR AVOID

From: (Spoofed email sender)

Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect.

Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg

Files with .ZIP extensions are just the copy of the worm itself. Those files with wither .JPG and .WMF extensions contain the Exploit-WMF as well as the worm



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users