Windows XP infected by the infamous wmf virus in VMWare

Windows XP infected by the infamous wmf virus in VMWare

The WMF exploit was a hole in the Microsoft Windows system file gdi32.dll, which was used to install rogue security software.

This exploit had appeared in Microsoft Windows 3.0 to Server 2003 R2, and this hole has ever since been patched in Windows Vista and up. A Windows Update also fixes this hole.

Websites distributing WMF Exploit

These websites use prompt to install infected WMF File:

  • Keygen websites
  • Cracked websites
  • Adult or warez websites
  • The typosquatted versions of (
  • Forum websites and malicious websites


When a infected WMF File is started, it will try to drop the winstall.exe file to install the rogue antivirus Winhound, and desktop will be replaced with a notice reading: Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. The following files use the WMF Exploit:

  • xpladv470.wmf
  • xpl.wmf

Some variants install SpySheriff and try to hijack the desktop with a notice reading: DANGER: SPYWARE

This issue is not present in Windows 9x (95, 98, and ME).

Community content is available under CC-BY-SA unless otherwise noted.