It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

There are multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to “http://[snip]/xmas-2006 FUNNY.jpg”.
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file.

This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.

Looking at this IRCBot it’s extremely likely that it has been made for cyber criminals.