Adding to the list of URLs using the new WMF exploit, we received reports on a botnet which distributes WMF exploits from http://www.<BLOCKED>.biz/tr. We leeched 10 wmf file samples each having distinct MD5 hashes. The wmf files, to be detected as TROJ_NASCENE.GEN, contain malicious codes that download and execute another malware. The downloaded malware which will be detected as ADW_EXFOL.A further downloads another malware already detected as ADW_EXFOL.A.
The detected adware displays a message box shown below:
![](http://extracare.trendmicro-europe.com/tm/core/global/images/diary/94ac83e3d8951986595ee5c588f793c4_msg.jpg)
After clicking on the Terms & Conditions, it opens a url which has the Exfol EULA. (Click on image below to view enlarged image)
![](http://extracare.trendmicro-europe.com/tm/core/global/images/diary/94ac83e3d8951986595ee5c588f793c4_site.jpg)