MS06-001: Womble Worm - WMF Exploit
http://vil.nai.com/vil/content/v_140497.htm
http://www.sophos.com/security/analyses/w32womblea.html
W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread. It may arrive as a ZIP archive or as a file using the following file extension: JPG.WMF. W32/Womble@MM uses it's own SMTP engine to send out the messages.
It generates the email as follows:
QUOTE
EMAIL TO BLOCK OR AVOID
From: (Spoofed email sender)
Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect.
Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg
Files with .ZIP extensions are just the copy of the worm itself. Those files with wither .JPG and .WMF extensions contain the Exploit-WMF as well as the worm
From: (Spoofed email sender)
Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect.
Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg
Files with .ZIP extensions are just the copy of the worm itself. Those files with wither .JPG and .WMF extensions contain the Exploit-WMF as well as the worm