New PowerPoint 0-day and related Trojan in the wild

It was not a surprise that new Trojan entitled as TROJ_SMALL.CMZ disclosed new, undocumented code execution vulnerability in Microsoft PowerPoint. Information was published today. Reportedly the dropper file has size of 71,168 bytes, but the file name used is not publicly known yet.

What the Trend write-up actually says is:

“…a specially crafted .PPT file that arrives on a system either downloaded from the Internet or dropped by other malware.”

I.e. this PowerPoint file was not spreaded with e-mail, which is the recent knowledge.

This is possibly the most interesting part:

Initial samples received on: Aug 17, 2006

This is quite sad (but realistic) to say, but if this vulnerability has been used in targeted attacks to steal information, the attacker has this information already.

Reportedly the randomly named .EXE file is being copied to Windows’s Temp folder using %Temp% (like we know the default path is c:\Windows\Temp). I’m sure only some AV vendors detect this, so let’s use the Last Updated view of your Temp folder to find suspicious .exe files.

According to the updated information at Technical Details section the Trojan checks for the Windows temporary folder in the following path:

C:\Documents and Settings\{current user}\Local Settings\Temp

If the said path does not exist, Trojan checks for the said folder in any of the following paths:

C:\Windows\Temp
and
C:\WINNT\Temp

It appears that Trojan confirms that it will work in older Windows 2000 and NT4.0 systems using folder name ‘Winnt’ too. Windows versions Windows 98, ME, NT, 2000, XP and 2003 Server are listed as affected.

Trend write-up listed the vulnerability as “code execution vulnerability” earlier, but they changed it to “unknown system vulnerability” later.

The Trojan horse will download and execute files from URLs located in Taiwan (.com.tw domain) and unknown IP address beginning with ’61.’.

At the same time there are reports about different Trojan exploiting widely used Japanese Justsystem’s Ichitaro word processor. But I’m not writing about this so-called Backdoor.Papi case now.

== Entry was updated with information of spreading methods. ==

Update # 20:00 UTC: Internet Storm Center has released related Diary entry.
Update # 22:00 UTC: Added information about changes in Trend TROJ_MDROPPER.BH write-up.
Update 21th Aug: There is a new FAQ document released too.

Share