First WMF mass mailer ItW (phishing Trojan)

[chiawaikian]

The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in Australia.

 

Our initial reports indicate the worm is not massive, however it steals financial information from users (Phishing Trojan from a known group) it infects and is causing quite a buzz in Australian media. We expect it to break as a full-blown media hype this morning, tops tomorrow morning.

 

The worm *does* do the said damage, but as we said does not seem to be widely spread. No reports outside of Australia have been received as of yet.

 

The emails themselves do not contain the payload, but rather a URL to sites that will infect users. Both the sites that did this are now down, I expect the next one to be up soon (or the bad guys will just get a new variant out in a few days). Abusing websites is mostly how WMF is exploited, but no much in the way of emails before today.

 

(almost) All anti virus vendors do not detect this worm (it?s new), a couple detect it heuristically. (almost) All anti virus vendors detect the attachment regardless because of the WMF exploit detection routines.

 

Hopefully, all AV companies will detect this soon. I know most will.

 

 

Source: http://blogs.securiteam.com/index.php/archives/293

[krit86lr]

Thanks Chia. I appreciate the 'Heads Up'. Have a good day!

[lokoike]

Thanks Chia. I appreciate the 'Heads Up'. Have a good day!

 

Yeah, I got the WinUpdate for that one the day it came out! As soon as I heard of the WMF vulnerability's existence, I ran WinUpdate a couple times a day, until Microsoft finally decided to patch it. Good thing too, judging by that article!