Twin Trojans use PowerPoint to spread

Updated: Two new Trojan horse programs are exploiting a vulnerability in PowerPoint, researchers say. But Microsoft denies there's a new flaw.

Updated Tuesday, Aug. 22 with comments from Microsoft.

Two new Trojan horse programs are using PowerPoint to spread, security researchers warned over the weekend, but it's unclear if the malware is exploiting a new PowerPoint flaw or the vulnerabilities Microsoft patched Aug. 8.

A vulnerability researcher believes it is a new flaw, but Microsoft disagrees.

Tokyo-based antivirus vendor Trend Micro Inc. said it first received samples late last week for Troj.Mdropper-BH. In an analysis on its Web site, Trend Micro said the Trojan is spread using a specially crafted PowerPoint file that is either downloaded from the Internet or dropped on machines by other malware.

If it is successfully downloaded onto a vulnerable machine, Trend Micro said the Trojan checks for the Windows temporary folder in the following path: C:\Documents and Settings\{current user}\Local Settings\Temp. If the path doesn't exist on the machine, it will check for the folder in the following paths: C:\Windows\Temp or C:\WINNT\Temp.

It will then drop a randomly named .exe file in the Windows temporary folder. The .exe file contains the second Trojan, which Trend Micro calls Troj.Small-CMZ. When executed, Troj.Small-CMZ waits for an active Internet connection and attempts to access the following URLs to download and execute possibly malicious files: http://61.{BLOCKED}8.35/images/link/ and http://www.th{BLOCKED}st.com.tw/upload/. As of Monday, however, the URLs were not available.

The malware targets machines running Windows 98, ME, NT, 2000, XP and Server 2003.

The Bethesda, Md.-based SANS Internet Storm Center (ISC) posted advisories on the issue over the weekend, but was still trying to determine Monday if the malware was targeting a new PowerPoint flaw or the ones Microsoft patched earlier this month.

"They sound very similar to issues reported last July," ISC handler Brian Granier wrote on the center's Web site. "The question remains whether this is truly a new vulnerability, if Microsoft failed to fix the root cause with MS06-048 or if MS06-048 addresses these issues."

But Helsinki, Finland-based security researcher Juha-Matti Laurio believes the flaw is different from those patched in the MS06-048 update.

"I absolutely believe this is a totally new issue because the payload works on a fully patched Microsoft Office workstation," Laurio said in an email exchange Monday. "Vulnerabilities fixed in MS06-048 are different issues. However, it is possible that this vulnerability is related to some issues fixed in MS06-048."

Laurio said he shared his findings with Microsoft Saturday, and that the software giant said it was investigating.

In an FAQ published on the SecuriTeam blog Sunday, Laurio said the flaw is caused by an unknown error when processing malformed PowerPoint documents. Attackers could exploit the flaw to run malicious code on vulnerable machines.

A Microsoft spokesman said that based on an initial investigation, the company has concluded that there is no new PowerPoint flaw.

"Microsoft's initial investigation has revealed that this is not a new zero-day vulnerability," he said in an email exchange. "Microsoft is actively working ... to verify those findings and will provide additional information and customer guidance once the investigation is complete."

Dig deeper on Securing Productivity Applications

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close