Adding to the list of URLs using the new WMF exploit, we received reports on a botnet which distributes WMF exploits from http://www.<BLOCKED>.biz/tr. We leeched 10 wmf file samples each having distinct MD5 hashes. The wmf files, to be detected as TROJ_NASCENE.GEN, contain malicious codes that download and execute another malware. The downloaded malware which will be detected as ADW_EXFOL.A further downloads another malware already detected as ADW_EXFOL.A.
The detected adware displays a message box shown below:
After clicking on the Terms & Conditions, it opens a url which has the Exfol EULA. (Click on image below to view enlarged image)