Content

Exploit-MSWord.i

Type
Trojan
SubType
Exploit
Discovery Date
07/09/2008
Length
Varies
Minimum DAT
5335 (07/09/2008)
Updated DAT
5889 (02/11/2010)
Minimum Engine
5.1.00
Description Added
07/09/2008
Description Modified
09/04/2009 3:19 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update September 4, 2009 --
A new malware was discoved to exploit the vulnerability in Microsoft Word 2002 SP3 and 2003 (MS06-027)

Please, refer to the following page for more information on this vulnerability:

(http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx)

When successful, the following files are dropped and installed:

  • %UserProfile%\Local Settings\Temp\rundll32.exe (Generic Keylogger.ae trojan)

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

Malware may drop following configuration files:

  • "C:\config.ini"
  • "C:\os32.ini"
  • "C:\usrer.ini"
  • "C:\usr_32.ini"
  • "C:\os32.ini"

The dropped malware attempts to connect with a remote server:

  • wdmlgt.8866.org

--

This is a generic detection for exploits that is targeting an unidentified Microsoft Word vulnerability.

When successful, this exploit can install a payload to execute further malicious code on the victim's machine. At the time of writing, the payload consists of a backdoor component detected as BackDoor-DKI trojan.

Symptoms

  • Microsoft Word crashes unexpectingly when opening a Word document.
  • Execution of unexpected file when opening a Word document.

Method of Infection

This malware exploits a Microsoft Word vulnerability to execute malicious code at the time of opening a specially crafted Word document.

 

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a generic detection for exploits that is targeting an unidentifed Microsoft Word vulnerability.

Characteristics

Characteristics -

-- Update September 4, 2009 --
A new malware was discoved to exploit the vulnerability in Microsoft Word 2002 SP3 and 2003 (MS06-027)

Please, refer to the following page for more information on this vulnerability:

(http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx)

When successful, the following files are dropped and installed:

  • %UserProfile%\Local Settings\Temp\rundll32.exe (Generic Keylogger.ae trojan)

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

Malware may drop following configuration files:

  • "C:\config.ini"
  • "C:\os32.ini"
  • "C:\usrer.ini"
  • "C:\usr_32.ini"
  • "C:\os32.ini"

The dropped malware attempts to connect with a remote server:

  • wdmlgt.8866.org

--

This is a generic detection for exploits that is targeting an unidentified Microsoft Word vulnerability.

When successful, this exploit can install a payload to execute further malicious code on the victim's machine. At the time of writing, the payload consists of a backdoor component detected as BackDoor-DKI trojan.

Symptoms

Symptoms -

  • Microsoft Word crashes unexpectingly when opening a Word document.
  • Execution of unexpected file when opening a Word document.

Method of Infection

Method of Infection -

This malware exploits a Microsoft Word vulnerability to execute malicious code at the time of opening a specially crafted Word document.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A