'Vandalism complaint' new WMF trojan

Share this article:

A new trojan, which claims to be from a Yale University professor disturbed by New Year’s vandalism, is exploiting the recently exposed Microsoft Windows metafile vulnerability.

The fraudulent email, purportedly from "Professor Robert Gordens" at Yale, claims to link to a Comcast cable company website containing photos of the vandalism.

F-Secure warned administrators to block access to the malicious website, http://playtimepiano.home.comcast.net/, at gateways.

"When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediately downloads a botnet client via tftp and runs it," the security firm said. "In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox."

F-Secure's site informed users on Wednesday that the firm is using the unofficial patch from Ilfak Guilfanov, which can be downloaded at http://www.hexblog.com, on its PCs.

"We've tested it and audited it and can recommend it," the firm said.

The website also advised users to maintain antivirus services and apply the work-around Microsoft has recommended.

Malicious users have set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.

The Redmond, Wash., computer giant said this week that a fix for the WMF vulnerability would be included as part of its monthly "patch Tuesday" bulletin, due out next Tuesday.

Microsoft said on Tuesday that it does not believe the scope of attacks on the flaw - which can result in PC shutdown - are widespread, adding that "customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability."

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.