Last Updated: 2006-05-22 13:18:53 UTC
by Chris Carboni (Version: 2)
What we know so far is that when the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.
Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..
Thanks again to Michael for reporting the incident to us and all the handlers who have helped in the ongoing analysis.
McAfeeMcAfee detects the Word document with the 4766 definition file as Exploit-OleData.gen and also associates Backdoor-CKB!cfaae1e6 with this exploit. (Thanks James!)
File size: 233472 bytesAnother payload is observed: BackDoor-CKB!6708ddaf
SymantecThanks to juha-matti for finding a few more references:
F-secureThis one from an anonymous reader
From the Microsoft Security Response Center we understood that they are developing a patch and expect it to be for inclusion in the next 2nd tuesday update. Their full recommendation:
Microsoft is investigating new public reports of a "zero-day" attack using a vulnerability in Microsoft Word XP and Microsoft Word 2003. In order for this attack to be carried out, a user most first open a malicious Word document attached to an e-mail or otherwise provided to them by an attacker. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary.
Microsoft is completing development of a security update for Microsoft Word that addresses this vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted.
Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://www.microsoft.com/security.
As always, Microsoft encourages customers to follow its "Protect Your PC" guidance of enabling a firewall, applying all security updates and installing anti-virus software. Customers can learn more about these steps at http://www.microsoft.com/protect.
Ivan from Trendmicro sent us where their updates can be found. Thanks Ivan!
Trojanized Word document files:
Alexander sent us information about updates from Kaspersky.
Trojanized Word document file: