NEWS FROM THE LAB - Tuesday, January 3, 2006

WMF construction kit Posted by Jarkko @ 18:27 GMT

We just received a sample of easy-to-use WMF construction kit. The WMF file it generates is based on "first generation" metasploit exploit which itself was based on the very first WMF exploit found in the wild last week. The program itself is not that interesting, it is a console-mode Windows application that just generates a file named "evil.wmf" with whatever payload given from command line. The application is user-friendly but the user still needs to know how to write assembly payloads (or where to download one). That, in addition to fact that at least some WMF files it generates are buggy, makes this construction kit a minor threat.

We detect the constructor kit as VirTool.Win32.WMFMaker.a