New WMF variant - McAfee protection was released in DAT 4664
McAfee has just updated their website with information related to the new WMF variant. There is some generic protection for the new variant currently. An extra DAT file can also be applied now to provide production using this special approach for a single new virus. AVERT made an emergency release of DAT file 4664 on New Year's eve that addresses this new risk. Corporate and home users should apply this new level of protection as soon as possible.
QUOTE: -- December 31, 2005 --
Source code for a tool that creates Exploit-WMF files has been posted to the web. This source creates malicious WMF files that exploit the vulnerability in a slightly different way than previous ones. While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code. The updated detection has been released in the 4664 DAT files.
-- Update 1 --
An email message containing an Exploit-WMF sample built from this new code has been spammed. The message appears as follows:
Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)
The attachment causes a new BackDoor-CEP variant to be downloaded and run from a hostile web site.
-- Update 2 --
Due to the serious nature of the WMF vulnerability and recent discovery of new exploit code, the 4664 DAT files were released out of cycle to detect these new Exploit-WMF samples.