Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Targeted attack: Word exploit - Update

Published: 2006-05-20
Last Updated: 2006-05-22 13:18:53 UTC
by Chris Carboni (Version: 2)
0 comment(s)
In yesterday's diary, Swa reported on a targeted attack that appears to use a previously undiscovered Microsoft Word exploit.

What we know so far is that when the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

Thanks again to Michael for reporting the incident to us and all the handlers who have helped in the ongoing analysis.

Vendor information:


McAfee detects the Word document with the 4766 definition file as Exploit-OleData.gen and also associates Backdoor-CKB!cfaae1e6 with this exploit. (Thanks James!)
File size: 233472 bytes
MD5: c1bb026ec2b42adc17d0efb7bb31f4dc
SHA1: 02b9a9530e0f4edb3bc512707c16390ea5b394d1
Another payload is observed: BackDoor-CKB!6708ddaf


Thanks to juha-matti for finding a few more references:


This one from an anonymous reader


From the Microsoft Security Response Center we understood that they are developing a patch and expect it to be for inclusion in the next 2nd tuesday update. Their full recommendation:

Microsoft is investigating new public reports of a "zero-day" attack using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user most first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker.  Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft is adding detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.  The Windows Live Safety Center is located at the following website: [NOTE: link might not work for gecko based browsers such as FireFox]

Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability.  The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.

Customers who believe they are affected can contact Product Support Services.  Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

As always, Microsoft encourages customers to follow its "Protect Your PC" guidance of enabling a firewall, applying all security updates and installing anti-virus software. Customers can learn more about these steps at


Ivan from Trendmicro sent us where their updates can be found. Thanks Ivan!

Trojanized Word document files:

Dropped malcodes:


Alexander sent us information about updates from Kaspersky.

Trojanized Word document file:
Dropped Malcodes:
0 comment(s)

Microsoft Word Vulnerability

Published: 2006-05-20
Last Updated: 2006-05-21 02:05:23 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Most anti-virus vendors have already come out with signatures to detect the malware exploiting MS Word vulnerability. By now, I hope you have got all your AV signatures updated. Although relying on virus scanner is not totally full proof (especially on new variants), but it is better than none (remember defense-in-depth).

At your firewall and IDS, you may want to monitor outbound traffic going to these domains, as this may be an indication of compromised hosts:

If you are filtering Word attachment at your gateway, it should be based on Word file type and not just on file extension alone.

US CERT has released an security alert on Microsoft Word Vulnerability

Below are stories from ISC on this topic. We will update as we have more detailed information.

Word 0-day, recommended defenses

Targeted attack: Word exploit
- More AV vendor links have been added.

Targeted attack: experience from the trenches

Miscrosoft has put up a new article on A quick check-in on the Word vulnerability (Thanks Juha-Matti). Part of the article is extracted below:

First off on the vulnerability itself: I want to reiterate we're hard at work on an update.  The attack vector here is Word documents attached to an email or otherwise delivered to a user's computer.  The user would have to open it first for anything to happen.  That information isn't meant to say the issue isn't serious, it's just meant to clearly denote the scope of the threat.

Now, we've received singular reports of attacks and have been working directly with the couple of customers thus far affected.  In analyzing the malware we've added detection to the Windows Live Safety Center, and we've passed all that information over to our antivirus partners.  But in breaking down the current malware we discovered some commonality to the current attack.  The attack we've seen is email based.  The emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses. 

Currently two of the subject lines we have seen are: 

RE Plan for final agreement

The attack we have seen so far requires admin rights, so limitations on user accounts can help here.  I want to repeat that customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

So far, this is a *very* limited attack, and most of our antivirus partners are rating this as "low".  But we're working to investigate any variants we might see to make sure detection is out there, as well as working on the update to address the vulnerability.

0 comment(s)
Diary Archives