TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
TROJ_WMFCRASH.C
Overview
Solution

Malware type: Trojan

Aliases: Exploit.Win32.IMG-WMF.t (Kaspersky), Exploit-WMF.c (McAfee), Trojan Horse (Symantec), EXP/CryptScript.1 (Avira), Exp/WMF-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 Low

Description: 

This Trojan is a .WMF file that takes advantage of a vulnerability found in Windows Picture and Fax Viewer.

The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

To learn more about the vulnerability that this Trojan uses, please refer to the following:

Once this malicious .WMF file is opened, it proceeds to launch a denial of service attack in an attempt to restart or terminate the legitimate system process EXPLORER.EXE. The said action leaves an affected user unable to navigate through Windows.

After performing its routine, this Trojan eventually terminates itself.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 9, 2006 8:54:35 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.