Security researchers have logged more than 70 variations on IMs (instant messages) attempting to exploit the WMF vulnerability since they first were reported on Saturday.
A vulnerability in the way Microsoft's Windows OS handles images in the WMF (Windows Metafile) format means that opening a maliciously crafted WMF image could result in the execution of hostile code. Malicious WMF files can be distributed in a number of ways, including via email, websites, peer-to-peer filesharing services or IM systems.
By sending such a file, or a link to a website where one is hosted, through an IM system and then tricking users into clicking on the file or link, an attacker may be able to gain control of the IM user's computer.
The first attempts to do this were logged on Saturday morning, when security researchers at Kaspersky Labs received reports of a wave of attacks on Dutch users of the MSN Messenger service. They had received messages inviting them to click on a link to a website containing an image with the name 'xmas-2006 FUNNY.jpg' – in reality, a web page containing a maliciously crafted WMF file.
Anyone following the link would set in motion a chain of events, beginning with the downloading of a Trojan Horse identified by Kaspersky as Trojan-Downloader.VBS.Psyme.br. This in turn would try to install a bot named Backdoor.Win32.SdBot.gen, which would then receive instructions over an IRC (Internet Relay Chat) channel to download IM-Worm.Win32.Kelvir, a worm that spreads over IM services, thus triggering a new wave of infections.
Although these early attacks all pointed users to the same file name, attackers have now diversified their methods.
By mid-afternoon today, enterprise IM security company Akonix Systems had blocked attempts to transmit malicious WMF files using 70 different file names, according to Shakeel Itoola, product manager for the company's L7 enterprise IM filtering product. Around one million computers are protected by Akonix systems, Itoola said, but he couldn't say how many malicious messages exploiting the WMF vulnerability had been transmitted in total, as the company's enterprise products are individually managed by the customer and do not report back such statistics.
Until steps can be taken to eliminate the vulnerability in handling WMF files, Microsoft advises Windows users to exercise caution when dealing with messages and links in messages from untrusted sources. The company expects to release a security patch to address the problem on 10 January, through Windows Update and other channels, it said yesterday. Microsoft's security advisory can be found here.