Ready to WOMBLE

A new malware partnership was discovered earlier today. A worm, detected as WORM_WOMBLE.A, mass-mails a modified Windows Metafile (WMF) that takes advantage of a vulnerability in order to drop copies of the worm. A worm that uses a WMF to propagate? Or a malicious WMF that uses a worm to spread?


It doesn’t really matter. It only matters to computer and antivirus experts whose job is to analyze the files and provide a solution. To the greater, and arguably more important, population of average computer users, it is a single malware package that their system needs protection from.


It is not a new propagation technique, as far as malware history is concerned. One of the biggest malware attacks in history was a partnership a little over two years ago, WORM_NETSKY.P started mass-mailing copies of itself with the help of HTML_NETSKY.P, which exploited the Incorrect MIME Header Vulnerability to allow the automatic execution of the malicious attachment when the email is open or even just previewed, fueling WORM_NETSKY.P to spread like fire, going on to infect almost a million computers* worldwide to date.


Later generations of the prominent BAGLE family mass-mailed Trojans that download copies of the worm onto recipients computers. The first time that a WORM_BAGLE variant employed this technique, many computer experts were briefly taken aback. How could a Trojan downloader that does not have propagation capabilities spread? Before long, the vicious cycle was busted. Still, the partnership proved disastrous or effective, depending on your point of view as several of these partnerships went on to cause outbreaks.


Another prominent malware partnership involved WORM_FEEBS variants that mass-mailed malicious JavaScript files, whose payload includes downloading copies of the worm. The main component in this case seems to be the JavaScript, rather than the worm and this adds an interesting new twist. Worms have always been considered to be some of the most destructive malware, not only because they consume system and network resources, and can carry a myriad of payloads, but because they can bring their damage to a wide scale. But the FEEBS attacks relegated worms to mere tools for propagation; the JavaScript carries the payloads. And why not? Worms are easiest to detect. Let the user detect and remove the worm from the system all while the JavaScript does its job.


The new attack by WORM_WOMBLE.A is reminiscent of WORM_NETSKY.P, because half of the email messages it sends contains a specially crafted WMF that takes advantage of the Windows Graphics Rendering Engine Vulnerability, which allows it to automatically drop and execute a copy of the worm when the user so much as views the WMF using Windows Explorer. Half because it may also attach a copy of itself, in which case it is a regular mass-mailer.


In a lot of ways, however, it is also like the BAGLE and FEEBS attacks, because it is an endless cycle of a worm mass-mailing a dropper that in turn drops a copy of the worm, which again mass-mails a dropper and so on. For this cycle to stop, both components should be removed from the system.


Which is why a holistic approach to malware removal is best for average computer users. They don’t differentiate between main component and sub-component. All they care about, and understandably so, is if their system is safe from malware attack: main component or not, partnership or not.


* Data from Trend Micro World Tracking Center.