There is a nice page detailing the WMF 0-day exploit that is currently in use here http://www.f-secure.com/weblog/archi...ve-122005.html which has a list of some domains you might not like to visit. As of so far no viruses have been seen to be using the exploit but with the exploit to virus life being so short now I would expect to see a variant of Sober or Netsky using the exploit within a week or two.
At the moment (as usual) it is being used to install spyware and scam antispyware on peoples PCs. I won't try to explain the exploit just look at the link article for more details. It appears to be the one used for the modified SpyAxe nagger I posted about previously.