Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

WMF exploit

From Malware Wiki
Jump to: navigation, search

Stubsymbol.png This article is a stub. You can help by editing it.

The WMF exploit was a hole in the Microsoft Windows system file gdi32.dll, which was used to install rogue security software.

This exploit had appeared in Microsoft Windows 3.0 to Server 2003 R2, and this hole has ever since been patched in Windows Vista and up. A Windows Update also fixes this hole. Keygen, cracked, adult, warez, typosquatted and malicious websites use prompts to install an infected WMF file.


When a infected WMF File is started, it tries to drop the winstall.exe file to install the rogue antivirus Winhound, and the desktop is replaced with a notice reading:

Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.

The following files use the WMF Exploit:

  • xpladv470.wmf
  • xpl.wmf

Some variants install SpySheriff and try to hijack the desktop with a notice reading:


This issue is not present in Windows 9x (95, 98, and ME).