EXPL_MS04-032.A
Windows XP (32-bit, 64-bit)
Threat Type: Others
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This is Trend Micros detection for all .EMF graphics files that have been modified to exploit the Microsoft Windows XP Metafile Heap Overflow vulnerability.
TECHNICAL DETAILS
08 Nov 2004
NOTES:
This is Trend Micros detection for all .EMF graphics files that have been modified to exploit the Microsoft Windows XP Metafile Heap Overflow vulnerability.
This vulnerability exists in the rendering of Windows .EMF graphics files. It can force the system to connect to a user-specified URL or open a user-specified TCP port on a system and waits for commands from a remote user. It allows a remote user to remotely execute shell code on a vulnerable system.
More information on this vulnerability can be found on the following Microsoft Web page:
This vulnerability can be exploited either by opening a directory containing a modified .EMF file with the thumbnails view option enabled or manual execution by the user.
Modified .EMF files can cause the system to visit a particular URL, which either contains malicious script code or is a download link for another malware or spyware. The said URL is entirely user-specified.
These files can also cause the system to open a TCP listening port similar to a backdoor port, and wait for commands from a remote user. The port opened is user-specified. This can then give the remote attacker the capability to execute malicious code on the affected system.
This exploit is inherent in unpatched Windows XP systems.
SOLUTION
6.810
5.902.13
18 Mar 2009
NOTES:
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
Important Windows XP Cleaning Instructions Users running Windows XP must disable System Restore to allow full scanning of infected systems. Users running other Windows versions can proceed with the succeeding procedure set(s).
Running Trend Micro Antivirus Scan your system with Trend Micro antivirus and delete all files detected as EXPL_MS04-032.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros online virus scanner.
Applying Patches Install the fix patch supplied by Microsoft. Trend Micro advises users to download critical patches upon release by vendors.
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.
Did this description help? Tell us how we did.