Trojan programs exploiting the latest Windows vulnerability [Dec 28]

A range of Trojan programs which exploit the Windows Meta File vulnerability has been detected recently. This vulnerability is rated highly critical, and so far, no patch has been issued.

The Trojans are classified as Trojan-Downloader.Win32.Agent.acd, as all the samples detected (by Kaspersky Lab in this case) come from the same family. New modifications of these programs may well appear in the near future.

The WMF vulnerability is present in computers running Microsoft Windows XP with SP1 and SP2, and Microsoft Windows Server 2003 with Service Pack 0 and Service Pack 1. The vulnerability can be exploited when viewing infected sites with Internet Explorer, Firefox (if certain other conditions are met), or when previewing *.wmf format files with Windows Explorer.

Computers will be infected by programs from the Agent.acd family if the user visits unionseek.com or iframeurl.biz. The malicious programs are downloaded to the victim machine and launched via the WMF vulnerability. Agent.acd will then download other Trojan programs to the victim machine.

To prevent infection is strongly recommended that users should not open files with a *.wmf extension. Users should also configure their Internet Explorer security settings to “High”.

28 Dec 2005

Hi friend Ylap,

This was fully covered here: http://forum.avast.com/index.php?topic=18295.0
Also our forum friend ReVaN (aka Mikey) has indicated how you can be protected. Maybe you overlooked this thread there, anyway thanx for warning. Also block access to: union(dot)com from your machine, where the exploit seems launched from.

Greets and have a good Sylvester and a Glorious 2006,

polonus

Oh, I rarely get into Virus section… Sorry, but to be warned again is not so bad!

Didn’t the following take care of this???
http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

Nope…