Virus Detail

Win32/Worfo

Date Published:
28 Dec 2005

Last Updated:
10 Jan 2006

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: High

Pervasiveness: None

Characteristics

Type : Other

Category : Win32

Also known as: Bloodhound.Exploit.56 (Norton), TROJ_NASCENE.GEN (Trend), Exploit.Win32.IMG-WMF (Kaspersky), Exploit-WMF (McAfee), Exp/WMF-A (Sophos), Win32.Worfo, Win32/Worfo!Trojan, Win32/Worfo.Variant!Trojan

Immediate Protection Info

Signature	Product	Removal Instructions
12.x/2020	eTrust Antivirus v7/8*	View
23.71.32	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/9585	eTrust Antivirus v7/8* (Vet Engine)	View
6.2x/9585	eTrust EZ Antivirus 6.2x	View
6.3x/9585	eTrust EZ Antivirus 6.3x	View
6.4x/9585	eTrust EZ Antivirus 6.4x	View
7.x/9585	eTrust EZ Antivirus 7.x	View
10.6x/9585	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Win32/Worfo is a generic detection of malformed Windows Meta File (.WMF) files which attempt to exploit the "Microsoft Windows Meta File processing vulnerability".

This exploit can be used in a malicious web page to execute code of the attacker's choice on the user's machine. Any program that renders WMF images on affected systems could be vulnerable to this attack.

For more information, please visit our Vulnerability encyclopedia:

Microsoft Windows Meta File processing vulnerability

Microsoft have also issued an advisory here (Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution):

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Note: this detection may be triggered by merely visiting a web page that contains malicious code. It does not necessarily mean your machine has been compromised, nor that your machine is vulnerable to this particular exploit.

CA has received reports from the wild that this vulnerability has been exploited to install the following malware on affected systems: