• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Exploits & Vulnerabilities › Found exploit using new Microsoft Word vulnerability

Found exploit using new Microsoft Word vulnerability

Myantispyware team May 19, 2006     No Comment    

Internet Storm Center reported about a new Word vulnerability being used. Exploit, using the vulnerability, has been sent as email attachment to specific individuals.

The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.

The exploit communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows“. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

Update:

When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

Update – 05/23/06:

Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft’s security advisory can be found here.

eEye’s advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in ‘Safe Mode’ to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well. The eEye advisory mentions that they believe there are two variants of this exploit. Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

Exploits & Vulnerabilities

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Defense-fordesktop.com Click Allow Scam
Defense-fordesktop.com Virus Removal Guide
Searches.today Google Search results
How to get rid of Searches.today redirect from Chrome, Firefox, IE, Edge
Helllomedias.com Click Allow Scam
Helllomedias.com Virus Removal Guide
AccessibleSearchGuide mac app adware
How to uninstall AccessibleSearchGuide app/extension from Mac (Virus removal guide)
Link 2captcha Virus Click Allow Scam
Link 2captcha Virus (removal guide)

Follow Us

Search

Useful Guides

This setting is enforced by your administrator (Removal guide)
DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]
How to reset Internet Explorer settings to default
ads by adware
How to remove Adware from Windows 10 (Virus removal guide)
adwcleaner
AdwCleaner – Review, How to use, Comments

Recent Posts

How to remove Spyware Sheriff and Antispylab
How to remove Spyware Soft Stop
New rogue antispyware – SpywareSheriff
New ransomware found
Internet Explorer “object” Tag Vulnerability

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.