Although some security firms on Wednesday advised enterprises to block WMF files at the network edge, that may not be a decent defense for long.
"Windows XP will detect and process a WMF file based on its content, and not rely on the extension alone," wrote analyst Chris Carboni on the center's blog. "[That] means a WMF sailing in disguise with a different extension might still be able to get you."
Hackers could simply rename a malicious WMF file with, say, a .gif or .jpg file extension, attach it to an e-mail message, and assuming a user opens the file, infect a system.
At the moment, say the experts, exploits are "only" installing spyware and/or fake anti-spyware software. That's bad enough, said two security firms, including one that specializes in combating spyware.
"Now we're seeing many more using this to install bad stuff," said Alex Eckelberry, president of anti-spyware developer Sunbelt Software. "This is a really bad exploit. Be careful out there."
Websense, a San Diego-based content filtering firm, has posted a video that shows the infection process, and said that it was tracking "thousands" of sites distributing the exploit code from just one host site. Spyware now, said another security professional, but even more malicious software next.
"The technique that is being used can and will be combined with traditional malware like Mytob or Bagle," Stefana Ribaudo, the director of Computer Associates eTrust Security told TechWeb in an e-mail. "We're concerned that in the absence of a patch or even readily followed steps to secure systems, that we could see additional delivery methods such as e-mailing the WMF file (especially with jokes and holiday greetings) and instant messaging.
"Once workers are back in the office after the holiday, we could see an increase [in the exploit],” warned Ribaudo.