NEWS FROM THE LAB - Tuesday, November 16, 2004

First virus distributed in Extended MetaFiles Posted by Gergo @ 09:10 GMT

The recently found worm, Aler (A.K.A Golten) was distributed in the form of EMF files as email attachment to a number of email addresses. The emails have the subject "Latest News about Arafat!!!" and come with two attachments, one clean JPEG and an infected EMF.

The clean image looks like this:


The EMF exploits the MS04-032 (EMF) vulnerabilty to install the worm to the system when the attachment is opened. It's worth mentioning that Aler does not propagate through this vulnerabilty. It spreads to random computers using local credentials from the infected host and a list of weak passwords.

Aler comes with a TCP proxy as payload.

Description of the worm has been posted to