A new malware partnership was discovered earlier today. A worm, detected as WORM_WOMBLE.A, mass-mails a modified Windows Metafile (WMF) that takes advantage of a vulnerability in order to drop copies of the worm. A worm that uses a WMF to propagate? Or a malicious WMF that uses a worm to spread?
It doesn’t really matter. It only matters to computer and antivirus experts whose job is to analyze the files and provide a solution. To the greater, and arguably more important, population of average computer users, it is a single malware package that their system needs protection from.
It is not a new propagation technique, as far as malware history is concerned. One of the biggest malware attacks in history was a partnership a little over two years ago, WORM_NETSKY.P started mass-mailing copies of itself with the help of HTML_NETSKY.P, which exploited the Incorrect MIME Header Vulnerability to allow the automatic execution of the malicious attachment when the email is open or even just previewed, fueling WORM_NETSKY.P to spread like fire, going on to infect almost a million computers* worldwide to date.
Later generations of the prominent BAGLE family mass-mailed Trojans that download copies of the worm onto recipients computers. The first time that a WORM_BAGLE variant employed this technique, many computer experts were briefly taken aback. How could a Trojan downloader that does not have propagation capabilities spread? Before long, the vicious cycle was busted. Still, the partnership proved disastrous or effective, depending on your point of view as several of these partnerships went on to cause outbreaks.
The new attack by WORM_WOMBLE.A is reminiscent of WORM_NETSKY.P, because half of the email messages it sends contains a specially crafted WMF that takes advantage of the Windows Graphics Rendering Engine Vulnerability, which allows it to automatically drop and execute a copy of the worm when the user so much as views the WMF using Windows Explorer. Half because it may also attach a copy of itself, in which case it is a regular mass-mailer.
In a lot of ways, however, it is also like the BAGLE and FEEBS attacks, because it is an endless cycle of a worm mass-mailing a dropper that in turn drops a copy of the worm, which again mass-mails a dropper and so on. For this cycle to stop, both components should be removed from the system.
Which is why a holistic approach to malware removal is best for average computer users. They don’t differentiate between main component and sub-component. All they care about, and understandably so, is if their system is safe from malware attack: main component or not, partnership or not.
* Data from Trend Micro World Tracking Center.