Another spammed email with an attachment, map.wmf, which exploits the WMF SetAborProc vulnerability is in the wild. The file, map.wmf, will be detected as TROJ_NASCENE.M. The wmf file downloads “calc.exe” which is a backdoor malware, to be detected as BKDR_AGENT.AXO.
The following are the email details:
Subject: Confidential
Body:
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy
File Attachment: map.wmf
Users are advised to apply one of the recommended fixes for the WMF vulnerability which was discussed in a previous blog entry, Another WMF Exploit or unregister the shimgvw.dll. To unregister the DLL,
1. go to start then click on “Run”
2. Type “cmd” to open the command prompt console.
3. type “regsvr32 -u %windir%system32shimgvw.dll” in the command prompt.