"Risk has gone up significantly in the past 24 hours for any network still not protected against the WMF exploit."

Attacks are carried out through a vulnerability in the way Windows XP and Windows Server 2003 handle corrupted Windows Metaile (.WMF) graphic files. So far, it appears that Windows Data Execution Prevention (DEP) software or disabling Windows' shimgvw.dll file will block WMF attacks to date, according to iDefense.

The HappyNY.A attack has been using an e-mail with the subject "happy new year" that includes the attached file HappyNewYear.jpg. That file, actually a hostile WMF file, installs the Bifrose backdoor Trojan in the victim's system when the file executes.

Websense Security Labs says it is tracking "several dozen" Web sites seeking to use the WMF vulnerability. More information is available on the Websense blog at www.websensesecuritylabs.com/blog.

"WMF exploitation has started to take off in the wild," iDefense spokesman Ken Dunham said in an e-mail statement. "Dozens if not hundreds of WMF exploiting sites are likely to be reported in the coming days and weeks."