Microsoft PowerPoint Vulnerability FAQ – August 2006, CVE-2006-4274 [UPDATED]

This is Frequently Asked Questions document about the latest Trojan case against vulnerability in Microsoft PowerPoint. The document describes related malwares as well.
Update: New CVE name updated to the title field, 0-day information removed.
NOTE : According to the new information this is not 0-day vulnerability, it is related to patched MS06-012.
NOTE#2: On 25th August: Added information about the state of CVE-2006-4274 and CVE-2006-0009

Q: What is the recent Microsoft PowerPoint Trojan case related to patched vulnerability?
A: UPDATE: This vulnerability is caused by an error when processing malformed PowerPoint documents using a Malformed Routing Slip Vulnerability – CVE-2006-0009. The issue was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in PowerPoint. New information was published during 21th August and 22th August stating this as issue Trojans exploiting machines not patched with MS06-012 security update.
I.e. the original information icluded to the first published Trojan description was erroneous and new information states this not as zero-day vulnerability.

Q: How does the vulnerability mentioned work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.
UPDATE: An attacker could exploit the vulnerability with a specially crafted routing slip in Microsoft Office document. Malware exploiting this vulnerability is Trojan horse type malware and this malware mentioned attemps to download malicious files with keylogger features.
The Trojan generates a hidden Internet Explorer (iexplore.exe) process, executes as a thread of this process mentioned and finally connects to Web sites at [removed].com.tw and 61.218.[removed].

Q: When this case was found?
A: The first malware description was published on Saturday 19th August. There is information about samples received by the same AV vendor on 17th August already.
UPDATE: As of 21th Aug 20:00 UTC there is no any confirmation from Microsoft available. UPDATE #2: Microsoft has confirmed that this issue is related to MS06-012.

Q: Is this one of the critical vulnerabilities reported on 8th August with MS August Security Bulletins?
A: No. This is a different vulnerability. Vulnerabilities fixed in MS06-048 are different issues.

Q: Which Windows versions are affected?
A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What PowerPoint versions are affected?
A: UPDATE: It is reported that PowerPoint XP as part of Office XP (aka 2002) SP3 is affected. Microsoft Security Bulletin MS06-012 lists versions Office 2000 Service Pack 3 including PowerPoint 2000 as affected too, however.
NOTE: It appears that version 2003 is not affected.

Q: Is PowerPoint Viewer utility affected too?
A: UPDATE: No. Microsoft has confirmed the state of PowerPoint Viewer by e-mail. PowerPoint Viewer utility is not affected.

Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no any official information about this. UPDATE: Security Bulletin MS06-012 lists Works Suite versions 2001, 2002, 2003, 2004, 2005 and 2006 as affected.

Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no information about this. UPDATE: MS06-012 lists Microsoft Office X for Mac and Microsoft Office 2004 for Mac as affected, but the affected product is Excel, not PowerPoint.

Q: I am using non-English version of PowerPoint. Am I affected?
A: As of 20th August it is impossible to say. Exact information about affected language versions is not available yet.
UPDATE: Microsoft Security Bulletin MS06-012 includes fixes to all language versions of PowerPoint products i.e. patch is needed to localized versions too.
It is recommended to patch all language versions of Office systems to avoid the infection.

Q: Where are the official Microsoft documents related to this case located?
A: Possible upcoming documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. If an official security advisory will be published the location of this advisiory is Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.
UPDATE: The following MSRC entry has been released:
blogs.technet.com/msrc/archive/2006/08/23/449075.aspx
Due to patched state of related vulnerability no Security Advisory is expected.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date. See related item discussing about opening PowerPoint presentations.
UPDATE: Apply a patch MS06-012 as soon as possible:
www.microsoft.com/technet/security/bulletin/MS06-012.mspx

Q: Is the exploit code of this vulnerability publicly released?
A: No.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.

Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources: e-mail, Web pages, instant messenger etc. if machine is not patched with MS06-012 update.

Q: Are there any visual effects informing about the infection?
A: UPDATE: It is reported that Trojan downloads files the following locations and executes the downloaded files:
Windows %System%\comine.exe
Windows %System%\comnie.exe

Q: Are there any changes to file system made by related Trojan malware?
A: Yes. File with .exe extension is being copied to the Windows Temp folder when the malicious .PPT attachment is opened. The file mentioned is randomly named. The Trojan seeks the location of Temp folder in the following order:
* C:\Documents and Settings\{current user}\Local Settings\Temp
* C:\Windows\Temp
* C:\WINNT\Temp
Folder name ‘Winnt’ is used in older OSs, Windows 2000 and NT4.0.

Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:

Trend Micro:
TROJ_MDROPPER.BH [dropper]
TROJ_SMALL.CMZ [Trojan]

Sophos:
Troj/Small-COA [Trojan]

Symantec:
Trojan.PPDropper [dropper]
Keylogger.Trojan [Trojan]

McAfee:
Exploit-MS06-012 [dropper, heuristically detected]
Downloader-AYB [Trojan]

Kaspersky:
Trojan-Downloader.Win32.Small.doa [Trojan]

CA:
Vet: Win32/SillyDl.AVW [Trojan]
iRiS: Win32/SillyDL.1rb!Trojan [Trojan]

F-Secure:
specific files reportedly detected

Unknown vendor:
Exploit-MS06-012!ppt [dropper]

The list is not coverage yet.
Some AV vendors have reported they have a sample file and analysis have been started.

Q: My AV vendor doesn’t list names of these types at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of weekend etc. The best way is to check the situation from your AV vendor.
This document will be updated (again) to include new names assigned.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entries: isc.sans.org/diary.php?storyid=1618 and isc.sans.org/diary.php?storyid=1621

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: This information is not available.

Q: What is the file name used in related infection cases?
A: This information is not available. It appers that the malicious file was not spreaded with e-mail. At time of writing it is not known are there malicious Web sites spreading this file mentioned.

Q: Is there information about file size used?
A: Yes. The size of the PowerPoint file is 71,168 bytes. Additionally, is appears that the .PPT file extension is used.

Q: What is the content of the PowerPoint presentation?
A: This information is not available.

Q: Is any user interaction needed when opening malicious PowerPoint file?
A: No. UPDATE: It is reported that closing a malformed PowerPoint file triggers a vulnerability.

Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If you have applied MS06-012 patch and your anti-virus software is updated and it is confirmed that it recognizes this related malware AV software will protect you. If you want protection of one hundred percent you can save presentations first and scan them with your AV software.
These days you can’t trust that the sender information included to message PowerPoint file attached is truthful (if the attacker uses e-mail attack vector too). If You are not sure, You can always call to the sender if e-mail including .PPT attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files.

Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages.

Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?
A: UPDATE: MS06-012 reports file Msroute.dll as vulnerable component, however.

Q: Is there CVE name available to this issue?
A: Update: Yes, CVE name CVE-2006-4274 was assigned on 21th August. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4274.
Specific CVE name related to vulnerability included to MS06-012 is CVE-2006-0009:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009
UPDATE: Due to the new state of the issue CVE-2006-4274 is related to the original state of the issue now. The vulnerability itself is described at CVE-2006-0009.

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.

Q: Is there information about the origin of related malware authors?
A: No. It is known that one of the target Web sites used is located in Taiwan area.

(c) Juha-Matti Laurio, Finland (UTC +3hrs)

Revision History:
1.0 20-08-2006 Initial release
1.1 20-08-2006 Minor fixes, added some hyperlinks
1.2 21-08-2006 Some minor fixes
1.3 21-08-2006 Added information about the lack of confirmation from Microsoft and the state of malware descriptions
1.4 22-08-2006 Added CVE name to the title and to related item, added new ISC Diary link
1.5 22-08-2006 Added link to NVD version of CVE-2006-4274
1.6 22-08-2006 Removed information issue being 0-day vulnerability, related changes done, added new Trojan/dropper names, added credits
1.7 23-08-2006 Added new Trojan/dropper names (McAfee, Kaspersky), updated the Trojan characteristics and added information about working CVE link
1.8 24-08-2006 Added link to released MSRC entry and updated the document with detailed information
1.9 24-08-2006 Added new Trojan name (CA), added F-Secure detection as well
2.0 25-08-2006 Added information about the state of CVE-2006-4274 and CVE-2006-0009

Updated items include word ‘UPDATE:’

Thanks to anonymous anti-virus companies for providing sample and description related information.
Dear Microsoft, I have informed the latest state of the issue to three security mailing lists on 22th and 23th Aug

Share