McAfee > Theat Center > Virus Detail Page

Overview

-- Update May 22, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Word+flaw+used+in+attack+waits+for+fix/2100-1002_3-6074403.html

-- Update May 19, 2006 --
A 0-day attack was discovered recently that is reportedly effective on Microsoft Word 2003.  McAfee AVERT Labs is currently analyzing this vulnerability.  Two different exploit samples are known to exist, each with a different payload:

• BackDoor-CKB!cfaae1e6 (Word exploit code extracts embedded and encrypted exe file to temp\csrse.exe and executes)
• BackDoor-CKB!6708ddaf (Word exploit code extracts embedded and encrypted exe file to c:\~.exe and executes)

The malicious DOC files may arrive in email with filenames like PLAN.DOC or FINAL.DOC.  Microsoft Word XP and 2003 are known to be affected.

This is a generic detection covering OLE documents attempting to exploit different buffer overflow vulnerabilities in Microsoft Word.

Characteristics

Varies, since this is a generic detection of exploit code rather than any specific payload detection.

Symptoms

Varies, since this is a generic detection of exploit code rather than any specific payload detection.

Method of Infection

Varies

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

N/A

All Information

Overview -

-- Update May 22, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Word+flaw+used+in+attack+waits+for+fix/2100-1002_3-6074403.html

-- Update May 19, 2006 --
A 0-day attack was discovered recently that is reportedly effective on Microsoft Word 2003.  McAfee AVERT Labs is currently analyzing this vulnerability.  Two different exploit samples are known to exist, each with a different payload:

• BackDoor-CKB!cfaae1e6 (Word exploit code extracts embedded and encrypted exe file to temp\csrse.exe and executes)
• BackDoor-CKB!6708ddaf (Word exploit code extracts embedded and encrypted exe file to c:\~.exe and executes)

The malicious DOC files may arrive in email with filenames like PLAN.DOC or FINAL.DOC.  Microsoft Word XP and 2003 are known to be affected.

This is a generic detection covering OLE documents attempting to exploit different buffer overflow vulnerabilities in Microsoft Word.

Characteristics

Characteristics -

Varies, since this is a generic detection of exploit code rather than any specific payload detection.

Symptoms

Symptoms -

Varies, since this is a generic detection of exploit code rather than any specific payload detection.

Method of Infection

Method of Infection -

Varies

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

N/A