McAfee > Theat Center > Virus Detail Page

Overview

Recently this week, McAfee Avert Labs has discovered a number of Word documents touting news about Tibet, China and the Olympics. Many of these documents were found to be exploiting a Microsoft Word vulnerability patched in MS06-027 and are proactively detected as Exploit-MS06-027 since 4766 DATs (May 19th, 2006) with heuristics:

• CHINA'S OLYMPIC TORCH OUT OF TIBET 1.doc
• Free Tibet Olympics Protest on Mount Everest.doc
• Hong Kong Parade Supports 19 Million CCP Withdrawals.doc

Other documents were found to be exploiting another vulnerability patched in MS07-014 and are detected as Exploit-MSWord.b. Due to the nature of such exploits, some detection may be limited to gateway and e-mail scanners, and on-demand scanners.

This trojan was previously detected generically as Exploit-OleData.gen.

-- Update May 22, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Word+flaw+used+in+attack+waits+for+fix/2100-1002_3-6074403.html

-- Update May 19, 2006 --
A 0-day attack was discovered recently that is reportedly effective on Microsoft Word 2003.  McAfee AVERT Labs is currently analyzing this vulnerability.  Two different exploit samples are known to exist, each with a different payload:

• BackDoor-CKB!cfaae1e6 (Word exploit code extracts embedded and encrypted exe file to temp\csrse.exe and executes)
• BackDoor-CKB!6708ddaf (Word exploit code extracts embedded and encrypted exe file to c:\~.exe and executes)

The malicious DOC files may arrive in email with filenames like PLAN.DOC or FINAL.DOC.  Microsoft Word XP and 2003 are known to be affected.

This detection covers files attempting to exploit a Microsoft Word buffer overflow vulnerability (MS06-027). The severity of this vulnerability is rated Critical by the vendor.

Aliases

• MSWord/OLEData_Ginwui.A!exploit (Fortinet)

• TROJ_MDROPPER.BT (TrendMicro)

• TROJ_MDROPPER.GI (TrendMicro)

• TROJ_MDROPPER.GJ (TrendMicro)

• TROJ_MDROPPER.GK (TrendMicro)

• Trojan-Dropper.MSWord.1Table.bd (Kaspersky)

• Trojan-Dropper.MSWord.1Table.ea (Kaspersky)

• Trojan-Dropper.MSWord.Agent.u (Kaspersky)

• Trojan.Mdropper.P (Symantec)

Characteristics

This detection covers files attempting to exploit a Microsoft Word malformed object pointer vulnerability (MS06-027). The severity of this vulnerability is rated Critical by the vendor.

This trojan was previously detected generically as Exploit-OleData.gen.

Such exploit files could be executed by opening specially crafted malicious Word document, and the end result could be the silent installation of any number of viruses, trojans, and potentially unwanted programs. It was first discovered in the wild embedded with BackDoor-CKB!cfaae1e6 and BackDoor-CKB!6708ddaf trojans.

A security patch is now provided by the vendor. More information on this vulnerability at:

• http://vil.nai.com/vil/Content/v_vul26033.htm
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492

Symptoms

Vary. This is a generic detection identifying files attempting to exploit Microsoft Word vulnerability. As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.

Method of Infection

This threat exploits a Microsoft Word malformed object pointer vulnerabiliy. The complete list of affected versions and the security patch for this application is available at the vendor's security bulletin at:

• http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update January 31, 2008 --

Recently this week, McAfee Avert Labs has discovered a number of Word documents touting news about Tibet, China and the Olympics. Many of these documents were found to be exploiting a Microsoft Word vulnerability patched in MS06-027 and are proactively detected as Exploit-MS06-027 since 4766 DATs (May 19th, 2006) with heuristics:

• CHINA'S OLYMPIC TORCH OUT OF TIBET 1.doc
• Free Tibet Olympics Protest on Mount Everest.doc
• Hong Kong Parade Supports 19 Million CCP Withdrawals.doc

Other documents were found to be exploiting another vulnerability patched in MS07-014 and are detected as Exploit-MSWord.b. Due to the nature of such exploits, some detection may be limited to gateway and e-mail scanners, and on-demand scanners.

This trojan was previously detected generically as Exploit-OleData.gen.

-- Update May 22, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Word+flaw+used+in+attack+waits+for+fix/2100-1002_3-6074403.html

-- Update May 19, 2006 --
A 0-day attack was discovered recently that is reportedly effective on Microsoft Word 2003.  McAfee AVERT Labs is currently analyzing this vulnerability.  Two different exploit samples are known to exist, each with a different payload:

• BackDoor-CKB!cfaae1e6 (Word exploit code extracts embedded and encrypted exe file to temp\csrse.exe and executes)
• BackDoor-CKB!6708ddaf (Word exploit code extracts embedded and encrypted exe file to c:\~.exe and executes)

The malicious DOC files may arrive in email with filenames like PLAN.DOC or FINAL.DOC.  Microsoft Word XP and 2003 are known to be affected.

This detection covers files attempting to exploit a Microsoft Word buffer overflow vulnerability (MS06-027). The severity of this vulnerability is rated Critical by the vendor.

Aliases

• MSWord/OLEData_Ginwui.A!exploit (Fortinet)

• TROJ_MDROPPER.BT (TrendMicro)

• TROJ_MDROPPER.GI (TrendMicro)

• TROJ_MDROPPER.GJ (TrendMicro)

• TROJ_MDROPPER.GK (TrendMicro)

• Trojan-Dropper.MSWord.1Table.bd (Kaspersky)

• Trojan-Dropper.MSWord.1Table.ea (Kaspersky)

• Trojan-Dropper.MSWord.Agent.u (Kaspersky)

• Trojan.Mdropper.P (Symantec)

Characteristics

Characteristics -

This detection covers files attempting to exploit a Microsoft Word malformed object pointer vulnerability (MS06-027). The severity of this vulnerability is rated Critical by the vendor.

This trojan was previously detected generically as Exploit-OleData.gen.

Such exploit files could be executed by opening specially crafted malicious Word document, and the end result could be the silent installation of any number of viruses, trojans, and potentially unwanted programs. It was first discovered in the wild embedded with BackDoor-CKB!cfaae1e6 and BackDoor-CKB!6708ddaf trojans.

A security patch is now provided by the vendor. More information on this vulnerability at:

• http://vil.nai.com/vil/Content/v_vul26033.htm
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492

Symptoms

Symptoms -

Vary. This is a generic detection identifying files attempting to exploit Microsoft Word vulnerability. As the detection searches for generic exploit code rather than a specific payload, it is not possible to list specific symptoms of this threat.

Method of Infection

Method of Infection -

This threat exploits a Microsoft Word malformed object pointer vulnerabiliy. The complete list of affected versions and the security patch for this application is available at the vendor's security bulletin at:

• http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A