Content
W97M/Dropexe
- Type
- Trojan
- SubType
- Macro
- Discovery Date
- 04/21/2006
- Length
- Varies
- Minimum DAT
- 4746 (04/21/2006)
- Updated DAT
- 4831 (08/17/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 04/21/2006
- Description Modified
- 06/27/2006 2:36 PM (PT)
Tab Navigation
Characteristics
-- Update June 27, 2006 --
A large spam run is underway. The email messages contain a ZIP attachment, such as:
- apple_prices.zip
- prices_zip
- sony_prices.zip
The ZIP file contains a DOC file:
- my_notebook.doc
The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.
When the macro inside the DOC file is allowed to run, a downloader trojan is written to the C:\ drive and executed:
- 666INSE_1.EXE
This exe contains 3 decoy URLs and 1 encrypted URL. The encrypted one points to a W32/Sality.t infected file.
--
This is a generic detection for Microsoft Word 97 (and higher) documents that contain a macro to drop and run executable files.
Symptoms
There are no obvious signs of infection.
Method of Infection
Removal
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants
N/A
All Information
Overview -
This is a generic detection for Microsoft Word 97 (and higher) documents that contain a macro to drop and run executable files.
Characteristics
Characteristics -
-- Update June 27, 2006 --
A large spam run is underway. The email messages contain a ZIP attachment, such as:
- apple_prices.zip
- prices_zip
- sony_prices.zip
The ZIP file contains a DOC file:
- my_notebook.doc
The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.
When the macro inside the DOC file is allowed to run, a downloader trojan is written to the C:\ drive and executed:
- 666INSE_1.EXE
This exe contains 3 decoy URLs and 1 encrypted URL. The encrypted one points to a W32/Sality.t infected file.
--
This is a generic detection for Microsoft Word 97 (and higher) documents that contain a macro to drop and run executable files.
Symptoms
Symptoms -
There are no obvious signs of infection.
Method of Infection
Method of Infection -
Removal -
Removal -
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Variants
Variants -
N/A
