Extended MetaFiles vulnerability

It was only a matter of time before this attack was released into the wild. A fairly intuitive way to launch it as well.

Arafat worm exploits new MS vuln

A worm which exploits curiosity about the death of Yasser Arafat is the first to exploit the known Extended MetaFiles vulnerability. Aler is a network worm that was widely bulk-mailed with the subject "Latest News about Arafat!!!". These infected emails had two attachments, one a clean JPEG file and the other an infected EMF file, according to anti-virus firm F-Secure. The EMF file exploits a well-known Windows vulnerability (MS04-032) to install the worm onto systems when the attachment is opened. Thereafter, Aler spreads across network shares and hosts with weak user passwords. The worm's payload is a connection proxy that allows the attacker to initiate network connections through an infected computer. This feature could be used to send spam or attack other computers.

By John Leyden, The Register Nov 17 2004 9:35AM
The info about "ALER" can be found Here:

Just scroll down to

Tuesday, November 16, 2004

First virus distributed in Extended MetaFiles