Kama Sutra/Blackworm Timebomb

There is a new mass mailing worm that has been infecting many users. Going by some different names, its best known as the Blackworm or Kama Sutra. On February 3rd, this worm is scheduled to overwrite the following file types with bogus data:

  • *.DOC
  • *.XLS
  • *.MDE
  • *.MDB
  • *.PPT
  • *.PPS
  • *.RAR
  • *.PDF
  • *.PSD
  • *.DMP
  • *.ZIP

    Feb 3rd is just the beginning, because its scheduled to activate on the 3rd of every month. Once someone is infected, the worm visits a webpage at rcn.net to increment a counter. This counter theoretically displays the number of infections. As of the article, that counter states:

    Read here for full details.

  • Microsoft Security Bulletin MS06-001: Official WMF Patch

    Microsoft has just released its official patch for the WMF 0-Day. In the Microsoft Security Bulletin MS06-001, Microsoft states in its executive summary:

    This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

    Note This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

    If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    We recommend that customers apply the update immediately.

    WMF Exploit FAQ

    There is a lot of public information available right now on the WMF Exploit and workaround patches. This article will attempt to answer some basic questions surrounding the WMF Exploit and those patches, including why Microsoft is waiting to release their official patch on January 10th, and rumors of an early MS patch Internet leak.

    1. What is WMF?
      Microsoft defines WMF as the Windows Metafile, a 16 bit metafile image format contained both vector and bitmap data.

    2. What is the issue with WMF?
      The WMF image is a little different from other images, it can call external procedures — one of which can execute code.

    3. How can I get the WMF Exploit?
      The answer to this varies right now, however, one thing is certain, you can get the exploit by visiting an infected web page. Others suggest it can arrive thru email attachments, instant messaging, Lotus Notes, the list goes on.

    Continued in full here.

    Hot off the press: WMF Vulnerability Checker

    As you’ve read in the security alert concerning the WMF exploit there are very limited tools to patch or catch an exploitable computer system. Ilfak Guilfanov, the author of the Windows WMF Hotfix, has written a WMF Vulnerability Checker. Please read Ilfak’s instructions on using the WMF vulnerability checker. Although a word of caution is offered:

    Do not use this check as a definite answer to the WMF vulnerability question. But if your system was vulnerable, it should be invulnerable after installing the hotfix and display the second dialog box. In other words you can use this checker as a means to verify that the hotfix is doing its job. One more word of caution: do not forget to reboot your computer after the installation. If you do not reboot it, the checker will tell you that the system is invulnerable while some systme processes will still be.

    DownloadView Details


    There is a new danger floating around the Internet right now, a zero-day exploit taking advantage of the Windows Media Format (WMF). Its not limited to WMF files, it is taking the shape of images as well. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.

    This is not a joke.

    Many antivirus companies can not discover this malware at present. Microsoft is not responding fast enough. There is currently no known way to detect if your system has been infected. However, don’t let this stop you from applying two specific workaround patches.

    Read the following two articles and install the “Windows WMF Hotfix” followed by de-registering the file “shimgvw.dll”. Then reboot. Now, wait with the rest of us for Microsoft and antivirus companies to officially patch this vulnerability and detect/clean it.

    Install the WMF Hotfix
    De-register the “shimgvw.dll” file