Trojan MSWord-Exploit

Original issue date: February 01, 2007

It has been observed that trojan MSWord-Exploit is circulating in the wild exploiting Microsoft Word unspecified String Handling Memory Corruption Vulnerability described in CIVN-2007-07 . The trojan comes as an attachment in e-mail messages or could be dropped by some other malware on the affected system.

Aliases : Trojan.Mdropper.W (Symantec) Trojan-Dropper.MSWord.1Table.cq (Kaspersky) Exploit-MSWord.d (McAfee) TrojanDropper:Win32/Controlwod.E (Microsoft) TROJ_MDROPPER.EQ (Trend Micro)

Upon execution the trojan

• exploits the vulnerability in Microsoft Word to execute a shell code.
• creates the following malicious files in Windows temporary folder and Windows installation folder
  %Temp%\ahah.exe
  %Temp%\sav.exe
  %Windir%\dominoo.exe
  %Windir%\inetsyschk.dll
  %Temp%\Summary on China's 2006 Defense White paper.doc
• tries to connect to various websites as a check for internet connectivity.
• opens a backdoor on TCP Port 80

Since the abovementioned vulnerability is still unpatched users are advised to implement the following countermeasures in view of high propagation vector of trojan.

• Keep update Anti-Virus Signatures.
• Do not open or save Word documents or attachments from un-trusted sources or received unexpectedly from trusted sources.
• Apply appropriate security updates at the OS level.
• Keep update Anti-Spywares.

References:

http://www.symantec.com/enterprise/security_response/writeup.jsp?
docid=2007-011813-0435-99&tabid=2 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ%5FMDROPPER%2EEQ&VSect=P

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003