Word macro trojan dropper and (another) downloader

Published: 2006-06-27
Last Updated: 2006-06-27 22:41:08 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:

The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http://  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).

0 comment(s)


Diary Archives