A worm which exploits curiosity about the death of Yasser Arafat is the first to exploit the known Extended MetaFiles vulnerability.

Aler [1] is a network worm that was widely bulk-mailed with the subject "Latest News about Arafat!!!". These infected emails had two attachments, one a clean JPEG file and the other an infected EMF file, according to anti-virus firm F-Secure.

The EMF file exploits a well-known Windows vulnerability (MS04-032 [2]) to install the worm onto systems when the attachment is opened.

Thereafter, Aler spreads across network shares and hosts with weak user passwords. The worm's payload is a connection proxy that allows the attacker to initiate network connections through an infected computer. This feature could be used to send spam or attack other computers.

F-Secure rates Aler - which only infects Windows PCs - as a medium category nuisance. Standard precautions apply - vigilance about unsolicited messages, updating AV protection, use of stronger passwords, tin-foil hats etc. ®

Related stories

Grieving Arafat widow seeks business partner [3]
IE exploits top web security threat list [4]
Bofra worm sets trap for unwary [5]

Links

1. http://www.f-secure.com/v-descs/aler.shtml
2. http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx
3. http://www.theregister.co.uk/2004/11/16/arafat_widow_419/
4. http://www.theregister.co.uk/2004/11/02/web_security_survey_scansafe/
5. http://www.theregister.co.uk/2004/11/10/bofra_worm/