Additional Details
When the infected attachement is viewed on vulnerable computer, it tries to download and execute a file from web server www.ritztours.com. The file is a variant of Bifrose backdoor, detected as W32/Bifrose.KT.
Please see the following links for more details about the WMF vulnerability:
http://www.kb.cert.org/vuls/id/181038
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.f-secure.com/weblog/
Write-up: Jarkko Turkulainen
Technical Details: Jarkko Turkulainen, January 1, 2006