Jump to content
xisto Community
Sign in to follow this  
miCRoSCoPiC^eaRthLinG

Asta Worm ALERT: Exploit.Win32.WMF-PFV Trying To Infect

Recommended Posts

WARNING: To all members

 

While browsing the forums, you might face a strange pop-up asking you to download a .wmv file. DO NOT download and/or try to play this. The pop-up looks somewhat like this (provided by Dha:

Posted Image

 

I believe this is being spread through one of the Ads displayed at Asta. Some guy has this worm embedded in his ads - that's the only logical explanation I can find.. Different anti-virus might identify it with different names - but essentially, it's a variant of the following worm. Most likely it's coming from an ad of taalkzforum.com. yes I confirmed it by visitng their page. If you visit taalkzforum you get flooded with this pop-up. If you inspect the forum page, you'll see an iframe containing the following code:

<iframe src="http://forums.xisto.com/no_longer_exists/; width=0 height=0></iframe>

When the forum page loads, it calls their URL to show in that iframe and naturally their site starts sending you this worm.

 

Exploit.Win32.WMF-PFV

Spreading: LOW Discovered : 2005 Dec 27

Damage: LOW

Size: 16 KB

 

SYMPTOMS:

Automatic worm or spyware installation, without confirmation.

 

TECHNICAL DESCRIPTION:

This is a WMF (Windows Meta-File) rendering exploit. The rendering bug that is exploited lies in the Windows Picture and Fax Viewer.

 

The WMF file could be placed on a web site that the victim visits and gets infected.

 

The exploit may create a shell on the victim computer, or may download and install a worm or a spyware trojan.

 

The exploits 'works' on Internet Explorer and some versions of Mozilla. However some browsers may display a confirmation dialog about it.

 

Source: http://forums.xisto.com/no_longer_exists/

 


For a realtime report on how this worm is spreading and how many systems it has infected, check this:

Real-time Virus Reporting - Last 24 hours

 

Nothing to be really scared of - as long as you donot execute/try to play that file. If you click cancel you won't be infected and can carry on browsing the forums normally.

 

I'm trying to get in touch with OpaQue and get this ad blocked ASAP.

Share this post


Link to post
Share on other sites

Follow-up.. this is the domain registration info on Taalkzaforum

Registration Service Provided By: EZ Web HostingContact: billingsys@ez-web-hosting.comVisit: [url="http://forums.xisto.com/no_longer_exists/ name: TAALKZFORUM.COMRegistrant Contact:homeCarl Humphrey (carl_monster@yahoo.com)+1.4028803915Fax: +1.40288039152000 Broadway Ave, #404San Francisco, CA 94115USAdministrative Contact:homeCarl Humphrey (carl_monster@yahoo.com)+1.4028803915Fax: +1.40288039152000 Broadway Ave, #404San Francisco, CA 94115USTechnical Contact:Ez Web HostingEz Web Hosting Support (support@ez-web-hosting.com)1-877-ezwebhosting.cFax: none4633 Welborn Dr.Sherrills Ford, NC 28673USStatus: LockedName Servers:ns.ez-web-hosting.comns1.ez-web-hosting.comCreation date: 06 Oct 2005 00:00:13Expiration date: 06 Oct 2006 00:00:13

I'm contacting EZ-Webhosting.Com, with whom taalkzforum is hosted and trying to get them to intervene.

Share this post


Link to post
Share on other sites

Thanks for your alert m^e, just now when i was logging in, the same dialog box appeared requesting for a download, though i did not download that for easily understandable reason.Regards,Sid

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.