Trojans found Word, Excel, PowerPoint – and Access

In May Trojans exploited undocumented 0-day vulnerability in MS Word, as most of readers probably remember. [details]

In June several Trojans attacked against MS Excel, in turn.

In July several 0-day vulnerabilities were reported in MS PowerPoint.

Later in July Trojan Backdoor.Pcclient.B attacked against unpatched Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability with Trojan.Acdropper.B dropper. What are these Trojans, in fact? These are MS Access Trojans spreaded with .MDB files.

Information about this remarkable old vulnerability still unpatched is available via NVD at CVE-2005-0944. HexView reported it in March ’05 and there is no patch or official Security Advisory from Microsoft available. Three separate public exploits have been released for this vulnerability.

The fact is that every Windows box Msjet40.dll version 4.00.8618.0 or less installed is affected. This dll is shipped with Microsoft Access versions 2003, 2002, and 2000.

What are the good news? Good news are that Access is not part of typical Microsoft Office Standard package in companies. But it doesn’t matter, because we are talking about targeted attacks possible only to single organisation. This is the world we are living today.

We have not seen related MS Publisher or MS Visio Trojans yet. You will probably say they are not worth of making. Wrong. If fingerprinting etc. done by criminals indicates that target organisations use them widely it is worth of generating malwares for these applications.

Attackers are not silly, they are expectionally wise to use software installed to almost every company workstation. The last targeted PowerPoint case had a lot of characterics of social engineering and industry espionage. And it is worth of mentioning to new readers that Pcclient.B is a Trojan horse containing back door functionality and rootkit technology.

Why I am writing about this exactly today? Because Microsoft informed about upcoming montly security bulletins recently and according to Advance Notification program they will release

Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.

I believe they will fix the most critical PowerPoint flaw as they have promised.

But is there fix to Jet Database Engine issue and is it Office flaw at all? They will patch ten Windows flaw as well. On the next Tuesday we know the answer.

Juha-Matti Laurio

Update 8th Aug: There was no patch to Msjet40.dll issue included in monthly MS updates.
Patch to critical PowerPoint 0-day issue is MS06-048.

  • Pingback: Teklow Enterprises » Patch Tuesday

  • Delta Taph

    I was attacked by backdoor.pcclient.b just recently. I’m using Norton ’04 fully updated definitions daily and I have all of the latest Microsoft Updates available.