An [tag]IM worm[/tag] is now using the [tag]WMF[/tag] exploit. According to Kaspersky Labs it's not spreading fast as of yet but that could all change.
We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "http://[snip]/xmas-2006 FUNNY.jpg".
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)
The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as [tag]Exploit.Win32.IMG-WMF[/tag] by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.
At the time of writing this SdBot is instructed to download an [tag]IM-Worm.Win32.Kelvir[/tag] variant. As you will know Kelvir is responsible for spreading across MSN. Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.
You might also want to avoid sending and receiving New Year e-cards too ...
I'm afraid we have to end this year with the warning to watch out for any unknown imagefile. With the flurry of e-cards and Happy New Year messages this could get really messy, so be careful.
F-Secure has also picked up on this.
More information on Security Fix