Exploit.WMF.A (FOUND by ClamAV)

pandanuma · 01-26-2006, 08:26 PM

just ran a clamscan (out of date version) and it found this:

/wmf_exp.wmf: Exploit.WMF.A FOUND

it is a 15.7 kb file sitting in my downloaded directory since Jan 02/06
not sure what it is or if I have tried to open it.

I will delete it shortly.

are there any concerns I should be aware of?

I run ubuntu 5.04 and dual boot windows xp

jschiwal · 01-26-2006, 09:38 PM

Googling, I found that this exploit installs bumXXX.exe on windows computers, the XXX is a 3 digit random number. One post described it as spyware, while another described it as a trojan downloader.

pandanuma · 01-26-2006, 11:27 PM

thanks
I am a little worried because I have been sitting around 8 gigs free on my harddrive and then noticed just recently I am down to 4 gigs free. I cannot account for the huge drop in free space so I thought it was time to fire up the clam again and up popped this windows thingy

is there any harm in right clicking this file (wmf_exp.wmf) or any other suspect file?

is there any harm if I try to open this file?
(I cannot remember but I may have tried to open it)
I know that if any file tries to install something you should be darn sure you know what it does before you okay the install.

anyways, I will delete this file and upgrade my version of clamav and see what happens.

jschiwal · 01-27-2006, 02:35 AM

If the file is in your computer, there already is harm done. Something got through and dropped it. That something probably also modified the registry so that the virus or trojan is started in the background without you knowing it. You need to check your computer out with a virus checker and a spyware cleaning program. Also make sure that you are using a firewall program. Do a search on the Norton or McAffee websites about this virus. They may have details on how to clean it from your system. You may of noticed this and other links on this site: http://www.linuxquestions.org/questi...d.php?t=399998

Leo Laporte wonders if this exploit is intentional by MicroSoft.
http://media.grc.com/sn/SN-022.mp3

pandanuma · 01-27-2006, 03:45 PM

I may not have expressed my concerns clearly...the exploit file was found on my ubuntu partition

do you believe my linux system is infected?

(about once a month I boot up windows and as soon as AVG grabs its updates I unplug my computer from my modem)
I havent booted up windows since I found this file on my linux system but have recently copied some gif, mpg and wmv files to disk in linux, opened them in windows and then gone back and opened the disk with linux

unSpawn · 01-27-2006, 06:06 PM

do you believe my linux system is infected?
It can't be, period.

pandanuma · 01-28-2006, 12:06 AM

so....
somehow this file shows up on my linux box
curiosity getting the better of my, I may have tried to open it
as long as I did not allow it to install anything I should be okay

would this apply to spyware like keystroke catchers(?)...I am paronoid about password theft

jschiwal · 01-28-2006, 02:40 AM

According to the Computer Security audio program ( the link I supplied ), the Wine users are vulerable to the wmf "backdoor". The Linux system itself isn't effected unless you use wine. In any case, you don't want a virus around that might end up on a windows computer.

Interesting quote:

Quote:

The head of Gibson Research, Steve Gibson, claims the WMF vulnerability (described by Microsoft as critical only in Windows 2000, XP and 64) was actually a backdoor deliberately planted by someone at Microsoft. Gibson says it could be used to gain control of a Windows system.

Gibson points to the SetAbortProc function, which is used to abort printing jobs. He says the function belongs in printer contexts, and has no business in metafile contexts. Pre-XP/2000 versions of Windows simply ignore it, while later versions allow a cracker to run his own code:

When I deliberately lied about the size of this record and set the size to one and no other value, and I gave this particular byte sequence that makes no sense for a metafile, then Windows created a thread and jumped into my code, began executing my code.

Gibson concludes: "This was not a mistake. This is not buggy code. This was put into Windows by someone."

http://www.emailbattles.com/archive/...aacgbehahg_gg/

He explained that the fix, doesn't actually remove the vulerability, but wedges in a running activeX control to intercept the process.
----

For Windows users, I believe that the Sony rootkit is more dangerous. By itself, it might only make your system sluggish, but it hides any programs and processes starting with a certain pattern. (Any program, not just it's own) Virus writers have picked up on it, and conceal their viruses from infected systems by simply giving their filename and process a name starting with this magic pattern. In an ironic twist, removing the root kit might be a violation of the DMCA act, and could land you in federal prison for 5 years.

A way to avoid being infected is to press the shift key while loading in the disk (in windows). So the MPIAA (Jack Valenti) is sueing ( based on the DMCA ) to make shift keys on keyboards illegal.

Capt_Caveman · 01-28-2006, 08:21 AM

His "backdoor" theory got debunked recently:
http://www.sysinternals.com/blog/200...-backdoor.html

If the WMF exploit it showing up in the download file of your linux browser then I find in unlikely that it got there any other way than using your linux browser to visit a site that was serving the malicious page. The presence of the file itself does not indicate that the linux or windows system has been infected.

db391 · 01-28-2006, 09:42 AM

Quote:

Originally Posted by unSpawn

do you believe my linux system is infected?
It can't be, period.

Actually Linux can be infected by WMF - through WINE (and its derivatives - Crossover Office, Cedega...)

See

http://it.slashdot.org/article.pl?sid=06/01/06/2043203