Content
Exploit-MSWord.b
- Type
- Malware
- SubType
- Exploit
- Discovery Date
- 12/09/2006
- Length
- Varies
- Minimum DAT
- 4915 (12/10/2006)
- Updated DAT
- 5220 (01/31/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 12/09/2006
- Description Modified
- 01/31/2008 3:26 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update January 31, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9059919&intsrc=hm_list
-- Update January 31, 2008 --
Recently this week, McAfee Avert Labs has discovered a number of Word documents touting news about Tibet and Olympics. Many of these documents were found to be exploiting a Microsoft Word vulnerability patched in MS07-014 are were proactively detected as below:
- DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc (Exploit-MSWord.b - since 4915 DATs, December 10th, 2006 with heuristics)
- Disapppeared in Tibet.doc (Exploit-MSWord.e - since 4952 DATs, January 30th, 2007 with heuristics)
- 2007-07 DRAFT Tibetan MP London schedule.doc (Exploit-1Table - since 5030 DATs, May 14th, 2007)
Other documents were found to be exploiting an older vulnerability patched in MS06-027 and were proactively detected as Exploit-MS06-027. Due to the nature of such exploits, some heuristic detections may be limited to gateway and e-mail scanners.
This detection covers malformed Word Document files that attempts to exploit a new Microsoft Word vulnerability that has been patched by the vendor in MS07-014. When opened in Microsoft Word XP or 2003, it causes a buffer overflow that can lead to arbitrary code execution in the targeted system.
McAfee Host IPS customers are proactively protected from this threat with sig 3754.
McAfee Avert Labs is currently investigating this threat. The vendor for the affected software has been notified for a security patch. More information will be posted here when available.
More details of this vulnerability at:
Symptoms
Microsoft Word crashing or the unexpected execution of a dropped PE file.
Method of Infection
This threat exploits a new Microsoft Word vulnerability.
Removal
All Users:
Use specified engine and DAT files for detection and removal. This detection is also available in the current Beta DATs.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update January 31, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9059919&intsrc=hm_list
--
This detection covers malformed Word Document files that attempts to exploit a new Microsoft Word vulnerability. When opened in Microsoft Word XP or 2003, it causes a buffer overflow that can lead to arbitrary code execution in the targeted system.
Aliases
- TROJ_MDROPPER.GG (TrendMicro)
- TROJ_MDROPPER.TG (TrendMicro)
- Trojan-Dropper.MSWord.Agent.l (Kaspersky)
- Trojan-Dropper.MSWord.Agent.u (Kaspersky)
- Trojan.Mdropper.X (Symantec)
Characteristics
Characteristics -
-- Update January 31, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9059919&intsrc=hm_list
-- Update January 31, 2008 --
Recently this week, McAfee Avert Labs has discovered a number of Word documents touting news about Tibet and Olympics. Many of these documents were found to be exploiting a Microsoft Word vulnerability patched in MS07-014 are were proactively detected as below:
- DIRECTORY OF TIBET SUPPORT GROUPS IN INDIA.doc (Exploit-MSWord.b - since 4915 DATs, December 10th, 2006 with heuristics)
- Disapppeared in Tibet.doc (Exploit-MSWord.e - since 4952 DATs, January 30th, 2007 with heuristics)
- 2007-07 DRAFT Tibetan MP London schedule.doc (Exploit-1Table - since 5030 DATs, May 14th, 2007)
Other documents were found to be exploiting an older vulnerability patched in MS06-027 and were proactively detected as Exploit-MS06-027. Due to the nature of such exploits, some heuristic detections may be limited to gateway and e-mail scanners.
This detection covers malformed Word Document files that attempts to exploit a new Microsoft Word vulnerability that has been patched by the vendor in MS07-014. When opened in Microsoft Word XP or 2003, it causes a buffer overflow that can lead to arbitrary code execution in the targeted system.
McAfee Host IPS customers are proactively protected from this threat with sig 3754.
McAfee Avert Labs is currently investigating this threat. The vendor for the affected software has been notified for a security patch. More information will be posted here when available.
More details of this vulnerability at:
Symptoms
Symptoms -
Microsoft Word crashing or the unexpected execution of a dropped PE file.
Method of Infection
Method of Infection -
This threat exploits a new Microsoft Word vulnerability.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal. This detection is also available in the current Beta DATs.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
