There's a new trojan spam run underway, exploiting again the WMF vulnerability.
The exploit code is taken directly from the last Metasploit distribution. So the Metasploit exploit is assisting botnet herders and spyware distributors to take over the computers of users who still have no Microsoft patch to close the hole.
In this particular case the spammed message was a fake warning from Yale University professor about student vandalism that supposedly happened over the new year:
When curious readers follow the link to a web server under comcast.net, they are hit with a WMF file that immediatly downloads a botnet client via tftp and runs it. In case the WMF exploit wouldn't work, the front page of the site also contains an exploit against older versions of Firefox, using the "InstallVersion.compareTo()" flaw. The downloaded client will connect to a botnet hosted via several IRC servers.
F-Secure Anti-Virus detects the WMF exploit in question as Exploit.Win32.IMG-WMF and the downloaded trojan as Breplibot.Q. Abuse reports have been sent about the sites abused in this scam.
Administrators: you might want to block these at your gateways: http access to playtimepiano[dot]home[dot]comcast[dot]net (do not visit this site) tftp (ie. UDP) access to 18.104.22.168 IRC access to 22.214.171.124:8080 IRC access to 126.96.36.199:8080 IRC access to 188.8.131.52:8080 IRC access to 184.108.40.206:8080 IRC access to 220.127.116.11:8080
PS. There seems to be no Professor Robert Gordens in Yale.