Exploit-WordPad.a

Content

Exploit-WordPad.a

Type: Trojan
SubType: Exploit
Discovery Date: 12/09/2008
Length: Various
Minimum DAT: 5460 (12/10/2008)
Updated DAT: 5767 (10/10/2009)
Minimum Engine: 5.1.00
Description Added: 12/09/2008
Description Modified: 12/10/2008 10:34 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update December 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to disclosure at:
http://www.microsoft.com/technet/security/advisory/960906.mspx
--

This is a generic detection for exploits targeting a Microsoft WordPad text convertor vulnerability. Earlier DATs may detect this threat as Exploit-MSWord.a or Exploit-MSWord.b trojan.

When successful, the exploit may install further malware, and display a clean RTF document to the victim to spoof its malicious behavior.

Variants of this exploit discovered in the wild were found to be dropping file(s) such as the below:

%Temp%\svchost.exe (BackDoor-DKI)

For more information about the vulnerability, please refer to the vendor's advisory at:

http://www.microsoft.com/technet/security/advisory/960906.mspx

Symptoms

Presence of the mentioned dropped file(s).
WordPad unexpectingly closing and re-opening the document.

Method of Infection

This exploit targeting a Microsoft WordPad text convertor vulnerability.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a generic detection for exploits targeting a WordPad text convertor vulnerability reported by the vendor at:

http://www.microsoft.com/technet/security/advisory/960906.mspx

Characteristics

Characteristics -

-- Update December 11, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to disclosure at:
http://www.microsoft.com/technet/security/advisory/960906.mspx
--

This is a generic detection for exploits targeting a Microsoft WordPad text convertor vulnerability. Earlier DATs may detect this threat as Exploit-MSWord.a or Exploit-MSWord.b trojan.

When successful, the exploit may install further malware, and display a clean RTF document to the victim to spoof its malicious behavior.

Variants of this exploit discovered in the wild were found to be dropping file(s) such as the below:

%Temp%\svchost.exe (BackDoor-DKI)

For more information about the vulnerability, please refer to the vendor's advisory at:

http://www.microsoft.com/technet/security/advisory/960906.mspx

Symptoms

Symptoms -

Presence of the mentioned dropped file(s).
WordPad unexpectingly closing and re-opening the document.

Method of Infection

Method of Infection -

This exploit targeting a Microsoft WordPad text convertor vulnerability.

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content