This exploit had appeared in Microsoft Windows 3.0 to Server 2003 R2, and this hole has ever since been patched in Windows Vista and up. A Windows Update also fixes this hole.
Websites distributing WMF Exploit
These websites use prompt to install infected WMF File:
- Keygen websites
- Cracked websites
- Adult or warez websites
- The typosquatted versions of Google.com (Goggle.com)
- Forum websites and malicious websites
When a infected WMF File is started, it will try to drop the winstall.exe file to install the rogue antivirus Winhound, and desktop will be replaced with a notice reading: Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. The following files use the WMF Exploit:
Some variants install SpySheriff and try to hijack the desktop with a notice reading: DANGER: SPYWARE
This issue is not present in Windows 9x (95, 98, and ME).