Internet Storm Center reported about a new Word vulnerability being used. Exploit, using the vulnerability, has been sent as email attachment to specific individuals.
The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.
The exploit communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows“. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.
When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.
Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..
Update – 05/23/06:
Microsoft and eEye have each released advisories related to the issue this evening.
Microsoft’s security advisory can be found here.
eEye’s advisory can be found here.
The information about vulnerable exploits differs a little between the two advisories.
Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in ‘Safe Mode’ to disable the functionality that is affected by the vulnerability and exploit.
eEye says that the vulnerability affects Word 2000 as well. The eEye advisory mentions that they believe there are two variants of this exploit. Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.