WMFMaker is a program for creating WMF (Windows MetaFile) images that exploit a critical vulnerability in Graphics Rendering Engine. This vulnerability lies in how Windows 2003/XP/2000/Me/98 handles WMF (Windows Meta File), and therefore, all applications that handles this type of file are affected, such as Internet Explorer and Microsoft Outlook. WMFMaker can be used to create images that run any type of malicious code -Trojans, worms or any other type of malware- in the computer affected by this security flaw.
WMFMaker is designed to be used from the commandline, by including the full path of the tool and of the executable file that will be included in the WMF and run if the vulnerability is exploited. By doing this, a file with a .wmf extension is generated under a name that varies between "evil.wmf" and the name of the executable file included inside it.
Malicious WMF images created by WMFMaker can be distributed through different means, such as housing it in a web page and persuading users to visit it. If the victim uses Internet Explorer, when accessing the malicious web page arbitrary code can be run automatically. However, if a different browser is used, the user will be warned that the file will be downloaded.
Until Microsoft releases the patch to fix this vulnerability, as well as ensuring that anti-malware solutions capable of blocking code that exploits this flaw are installed, users are advised to adopt a series of other security measures including the following:
- Read email messages in Plain Text.
- Don't click on links received via email or instant messaging from unknown senders.
- If you have Windows XP installed, enable DEP (Data Execution Prevention).
Hope this information is found helpful.
TheGuardian
