Alex writes "WMF Exploit is the wild and there are many websites which intentionally includes Iframes to malware WMF files (like some “crack”, “XXX” or “patch” websites). Besides this, there were some mass hacks of usually more trustworthy web sites — now, the websites will still render fine, but the included WMF file will be started automatically.
We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised."