Somebody had written a program that generates a WMF file that uses the meta file exploit. The program is console driven that generates a file “evil.wmf” with a payload given by the user. The payload must be written in assembly that made the generation of the WMF file a bit hard. And most of the time the generated WMF file is buggy. The user must find another program that converts his payload program to assembly unless the user knows how to convert to assembly.
The said WMF generator has been passed to the service team and will be detected on the soonest possible time.
Update(Jessie, 04 January 2006 09:26:06)
The file has been given the detection name, HKTL_METAXPLT.A.
Update(Jessie, 04 January 2006 15:42:50)
The modified generic pattern is doing good to date. It now detects all the 65 samples that were generated by the WMF maker.
I also test the modified pattern against the normal .wmf files that comes with MS Office 2003 and it yields good result (no false alarm) out of 116 .wmf files.
But, “We still have to be vigilant at least until Jan 10 when MS has released their patch.”, Trend Micro Product Manager noted.
Update(JJ, 04 January 2006 17:58:02)
We’ve received some concerns regarding the detection capability of Trend on the WMF Files, particularly on the renamed WMF files (to JPG/JPEG). The generic pattern/detection for the WMF bug (and for other generic patterns as well) does not rely on the filename(of the file). For the WMF exploit, we have parsing routines to identify the WMF file, and then go to the exploit part and then detect it. So even if the WMF file has been renamed, we can still detect it.