McAfee > Theat Center > Virus Detail Page

Overview

Aliases

• XML_DLOADER.A (Trend)

Characteristics

This detection covers a malicious Microsoft Word (.doc) document having a filesize of 3,871 bytes that attemps to exploit the CVE-2009-0075 vulnerability patched by Microsoft in the MS09-002 patch release.

The word document uses the xml file format. Upon opening the .doc file, Word may crash.  However, it does not always crash--on some occasions nothing directly malicious is visible and Word opens the .doc file fine.  A small red cross might be seen temporarily (about a second or two) on the page left above.

There are no macros visible embedded inside the .doc file.

However the file seems to connect to an http address.

A closer examination shows it contains an object classid : "CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389"

This is a reference to the Microsoft Scriptlet Component, called mshtml.dll.

DefaultOcxName,  with param name=URL , value="http://www.chen####.com/bbs/images/alipay/mm/jc/jc.html">

The exact url address is omitted on purpose here. It tries to access the above website and download a file called "jc.html", upon testing this file had a filesize of 9,892 bytes. It is an obfuscated JavaScript file, and is detected as Exploit-XMLhttp.d trojan, with DAT-5525 and above.

Symptoms

• Upon opening the .doc file in Word, Word might crash completely.
• Unexpected network traffic upon opening the file.
• Presence of the mentioned file "jc.html", having a filesize of 9,892 bytes.

Method of Infection

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection covers a malicious Microsoft Word (.doc) document having a filesize of 3.871 bytes that attemps to exploit the CVE-2009-0075 vulnerability patched by Microsoft in the MS09-002 patch release.

Aliases

• XML_DLOADER.A (Trend)

Characteristics

Characteristics -

This detection covers a malicious Microsoft Word (.doc) document having a filesize of 3,871 bytes that attemps to exploit the CVE-2009-0075 vulnerability patched by Microsoft in the MS09-002 patch release.

The word document uses the xml file format. Upon opening the .doc file, Word may crash.  However, it does not always crash--on some occasions nothing directly malicious is visible and Word opens the .doc file fine.  A small red cross might be seen temporarily (about a second or two) on the page left above.

There are no macros visible embedded inside the .doc file.

However the file seems to connect to an http address.

A closer examination shows it contains an object classid : "CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389"

This is a reference to the Microsoft Scriptlet Component, called mshtml.dll.

DefaultOcxName,  with param name=URL , value="http://www.chen####.com/bbs/images/alipay/mm/jc/jc.html">

The exact url address is omitted on purpose here. It tries to access the above website and download a file called "jc.html", upon testing this file had a filesize of 9,892 bytes. It is an obfuscated JavaScript file, and is detected as Exploit-XMLhttp.d trojan, with DAT-5525 and above.

Symptoms

Symptoms -

• Upon opening the .doc file in Word, Word might crash completely.
• Unexpected network traffic upon opening the file.
• Presence of the mentioned file "jc.html", having a filesize of 9,892 bytes.

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A