Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trojan.Mdropper.Q / Email Attachment Practices / Word 2000 0-day

Published: 2006-09-06
Last Updated: 2006-09-06 19:31:47 UTC
by Michael Haisley (Version: 4)
0 comment(s)
Thanks to frequent reader Juha-Matti Laurio for sending us a note about Trojan.Mdropper.Q and the previously undiscovered Microsoft Word 2000 vulnerability that comes with it.  Trojan.Mdropper.Q activates when a file containing it is opened, and then installs a backdoor on the machine.  Fortunatly as with most Office vulnerabilities a user has to actually open the file before the trojan can be activated.  Generally my advice to users is not to open files that they are not expecting even if they know the person that sent the file, but this one has made me curious, what do other system admins recommend to their users?   Do you have a policy on email attachments?  Is this policy automaticly enforced?

Update #1

It appears Symantec has updated their site to include the size of the Trojan: 79,265 bytes.    Happy Antivirus updating!

Update #2

Juha-Matti writes to tell us that Securiteam has posted an entry about this vulnerability on their blog.  Check out their post here.  Mcafee is calling this one W32/MoFei.worm.dr, and has a writeup about the Trojan here.  It is still unknown as to what vulnerability this is exploiting.

Update #3

Microsoft published some news about the "0-day" in MS Word here.  They offer two pieces of advice. 
1) Don't open Word files from people you don't know.  (This goes back to not eating candy until your parents look at it at Halloween, and not opening the door for strangers.)
2) Use Word 'viewer'

Of course Microsoft publishes great "Suggested Actions".

Protect your PC by enabling a firewall (which, btw, does not keep Word files out)

In fact one of Microsoft's suggested actions is: "Keep Windows Updated"...  we'd love to.  If there was a fix for the problem!

Let's hope they get it patched as soon as possible.
Keywords:
0 comment(s)

Media sanitization NIST website

Published: 2006-09-03
Last Updated: 2006-09-03 23:03:30 UTC
by Michael Haisley (Version: 2)
0 comment(s)
Yesterday's Diary had a article on Media Sanitization that linked to NIST guidelines, questioning conventional wisdom with regards to media sanitization policies.  Yesterday, NIST was having a few problems with their web server, but the guidelines are now back online for your viewing pleasure.

Keywords:
0 comment(s)
Diary Archives