Redmond, we have a new Word 2000 0-day again

== Writing was updated on 4th September ==

New, 0-day type vulnerability in Microsoft Word version 2000 has been reported.
It is exploited by new Trojan horse entitled as Trojan.Mdropper.Q affecting to all Windows versions from Win95 to 2003 Server. Unknown .exe file is being copied to the Windows %System% folder.

And further, the dropped library clipsvr.dll of related another malware will inject itself into the address space of lsass.exe and works as a backdoor component. The payload of this Backdoor.Femo is the following:

* Access the Windows command shell (CMD.exe or command.com)
* Run executable files
* Delete/create files and folders
* Download files from the Internet

There is no information about file name used and if this Trojan has been spammed at this time.

Update #20:45 UTC: New information states that this vulnerability is reportedly affecting to Word 2000 running on Windows 2000 machines, i.e. it appears that this is related to targeted attacks against specific organisations using older Word 2000 installations.

Update 4th Sep: The size of infected file is 79,265 bytes.
Update: TrendMicro sees this malware as TROJ_MDROPPER.BR.
NOTE: New FAQ document including updated list has been released.

Share