Zero-day IE .WMF Exploit

Date:12.28.2005

Threat Type: Malicious Website / Malicious Code

This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/

Websense® Security Labs™ has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages.

We are currently tracking thousands of websites distributing exploit code from iFrameCASH BIZ. A similar zero-day vulnerability being exploited by this entity was discussed earlier this month:http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364

There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.

Infected computer sample screenshot 1:

Infected computer sample screenshot 2: