Microsoft Hit Hard By New Virus Threats

Microsoft has been hit hard by two viruses, one packaged in a Windows Metafile (.wmf) and the other posing as MSN Messenger Beta.

Virus one is a particularly nasty one which attacks using Windows Metafile Format (.wmf) files, has been deemed an 'extremely critical flaw' and will exploit fully patched machines. There were 57 versions being distributed across hundreds of websites as of last week with many more expected now.

Vulnerable operating systems include Windows Server 2003: Datacentre, Enterprise, Standard and Web Editions. Also vulnerable are XP Home and XP Professional exposing large swathes of both the business and home users. The vulnerability is currently being used to install Trojan downloaders, spyware and malware.

As well as traditional distribution methods this attack is also finding alternative exploits, because of it's delivery as a media file, which is making it particularly difficult to stop. Google Desktop is the latest to be snarled with it executing the malicious images as it indexes the files. In fact any software that can display wmf files opens up a computer to the virus. The most common is Windows Picture and Fax Viewer but others include IE, older versions of Firefox, Opera and Outlook.

There are several reported workarounds although none are straightforward and none appear to be a fix all solution or even guaranteed to work on all systems. Users can modify the registry to stop Windows Picture and Fax Viewer from lauching automatically when a .wmf is requested. IE can have it's security level set to high, which stops that loading the .wmf's and Google Desktop can be stopped from indexing media files or removed altogether.

Further information can be found on the Microsoft Security Advisory.

The second virus, called Virkel.F, uses a social engineering trick to pose as MSN Messenger 8 beta, the much in demand next version of Microsoft's internet messenger and VOIP application. The virus is being distributed as a download called BETA8WEBINSTALL.EXE but instead of installing MSN Messenger it installs a virus that sends download links to the buddies of the infected computer. The linked text in the messages reads, "MSN Messenger 8 Working BETA."

Further woe is heaped on the unsuspecting user as the virus then connects the infected computer to a botnet server. Botnet servers allow the infected machines to be remotely exploited to execute code to do such things as attack other machines in denial of service (DOS) attacks and send spam.