In an email advisory I just received from McAfee AVERT labs a new version of the WMF exploit using new Exploit-WMF code released today has been confimed in spam attacks resulting in the installation of a new Backdoor-CEP variant.

An email message containing the Exploit-WMF sample built from this new code has been spammed. The message appears as follows:

Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)

The attachment causes a new BackDoor-CEP variant to be downloaded and run from www.ritztours[dot]com.

I have not seen a copy of this email yet, and I am not sure if you need to click on the attachment or it will autorun and infect the receiving computer. If anyone comes across this email, please forward it to me ASAP in a password protected zip file to eric@sunbelt-software.com

Here is the email from AVERT Labs:

AVERT is releasing this advisory to make our customers aware of new Exploit-WMF code having been released today and currently being used in spam attacks resulting in the installation of a new Backdoor-CEP variant.

Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being prepared now and will be released shortly.

Read About It
Information about Exploit-WMF is located on VIL at: http://vil.nai.com/vil/content/v_125294.htm

New Exploit-WMF and Backdoor-CEP variants have been discovered on 1/1/2006 (GMT) and detection will be added to the 4664 dat files (Release Date: 1/1/2006).
The EXTRA.DAT is available at https://www.webimmune.net/extra/getextra.aspx.
If you suspect you have Exploit-WMF or Backdoor-CEP, please submit samples to http://www.webimmune.net/.

Risk Assessment Definition
For further information on the Risk Assessment and AVERT Recommended Actions please see:

Best Regards,

McAfee AVERT – Anti Virus and Vulnerability Research, Analysis, and Solutions visit us at http://www.avertlabs.com

A WMF exploit FAQ as been released by SANS at http://isc.sans.org/diary.php?date=2006-01-01 Lots of great information here.

Unofficial patch for all WMF exploit variants.

An unofficial patch was made available by Ilfak Guilfanov the main developer of IDA Pro from DataRescue.

SANS own Tom Liston reviewed the patch and we tested it. The SANS reviewed and tested version is available for download. (MD5: 99b27206824d9f128af6aa1cc2ad05bc). THANKS to Ilfak Guilfanov for providing the patch!!

Ilfak’s blog at Hex Blog has more information about this patch including and an MSI file provided by a blog reader that can be deployed to desktops through group policies. Currently this repackaging is also provided ‘AS IS’ without any kind of warranty. After applying either of these patches your computer must be rebooted for it to take affect.

Eric Sites
VP of Research & Development
Sunbelt Software