The AV coverage of 12122006-djtest.doc PoC extremely poor

This a quite negative title is based to the current result of VirusTotal scan of Word 0-day PoC file 12122006-djtest.doc. This Proof of Concept file was publicly released on Tuesday 12th December [I'm not linking to the exploit/PoC site].

Complete scanning result of “12122006-djtest.doc” submitted to VirusTotal.com recently is the following:

–clip–

Antivirus Version – Update Result
AntiVir 7.3.0.15 – 12.13.2006 no virus found
Authentium 4.93.8 – 12.13.2006 no virus found
Avast 4.7.892.0 – 12.13.2006 no virus found

AVG 386 – 12.13.2006 no virus found
BitDefender 7.2 – 12.14.2006 Exploit.MSWord.Gen.2
CAT-QuickHeal 8.00 – 12.13.2006 no virus found
ClamAV devel-20060426 – 12.14.2006 no virus found
DrWeb 4.33 – 12.13.2006 no virus found
eSafe 7.0.14.0 – 12.13.2006 no virus found
eTrust-InoculateIT 23.73.85 – 12.14.2006 no virus found
eTrust-Vet 30.3.3248 – 12.13.2006 no virus found
Ewido 4.0 – 12.13.2006 no virus found
Fortinet 2.82.0.0 – 12.14.2006 no virus found
F-Prot 3.16f – 12.13.2006 no virus found
F-Prot4 4.2.1.29 – 12.13.2006 no virus found
Ikarus T3.1.0.26 – 12.13.2006 no virus found
Kaspersky 4.0.2.24 – 12.14.2006 no virus found
McAfee 4918 – 12.13.2006 no virus found
Microsoft 1.1804 – 12.14.2006 no virus found
NOD32v2 1920 – 12.13.2006 no virus found
Norman 5.80.02 – 12.13.2006 no virus found
Panda 9.0.0.4 – 12.13.2006 no virus found
Prevx1 V2 – 12.14.2006 no virus found
Sophos 4.12.0 – 12.13.2006 no virus found
Sunbelt 2.2.907.0 – 11.30.2006 no virus found
TheHacker 6.0.3.131 – 12.10.2006 no virus found
UNA 1.83 – 12.13.2006 no virus found
VBA32 3.11.1 – 12.13.2006 no virus found
VirusBuster 4.3.15:9 – 12.13.2006 no virus found

–clip–

Only one vendor of 29 has a protection as Exploit.MSWord.Gen.2.

It is worth of noticing that there are seven fingerprints dated on 14th Dec. When submitting the Word document to the service six hours ago there was no detections available.

The title of the exploit release states that it is a Code Execution issue, but the release doesn’t refer to MSRC Blog entries etc. Additionally, there is no CVE included.

According to the recent state of anti-virus protection I see this PoC related to the newer zero-day issue.

It is interesting that on Sunday 10th Dec McAfee reported this issue via existence of PWS-Agent.g Trojan. They reported that DAT4916 include protection:

Minimum DAT: 4916 (12/11/2006)

(link to the McAfee writeup included to my previous writing). Related to this PoC released on 12th Dec the most recent DAT files 4918 don’t have the protection, however.
If someone can confirm the target vulnerability of 12122006-djtest.doc please let me know.

UPDATE: Due to the latest conclusion this is a totally new, third unpatched vulnerability in Word. McAfee AVERT Labs has confirmed this too.

UPDATE #2: This vulnerability has been confirmed by US-CERT now:
Microsoft Word malformed pointer vulnerability and is public CVE-2006-6561.

Share
  • http://networksecurity.typepad.com/ Juha-Matti

    Answer to questions:
    Sorry, I can’t and I will not e-mail PoC files to the individuals in any way.

  • dav

    Virustotal manual scanning is not unreliable! You have to execute the doc document and the trojan is detected!!!!
    Microsoft, Symantec, McAfee and Sophos are able to detect these 0-day exploit.

  • sunshine

    This isn’t a 0day, it was disclosed in full-disclosure mode on the fuzzing mailing list. We really should not let the media force us to abuse these terms.

  • mav

    Looks like also the first Word bug was already disclosed since November. More info on this new blog post from Symantec: http://www.symantec.com/enterprise/security_response/weblog/2006/12/ms_word_the_bug_the_exploit_th.html

  • cass

    your test is wrong because the file http :// http://www.milw0rm.com /sploits/ 12122006-djtest.doc
    doesn’t contain trojans and so it’s not dangerous.
    That file is just a PoC i.e. only a crash. :-)

  • cass

    OpenOffice 2 also crash on that doc.

  • http://networksecurity.typepad.com/ Juha-Matti

    Thanks cass!
    Only version 1.1.3 was confirmed as affected earlier.

  • Pingback: SecuriTeam Blogs » These two weeks of Word flaws - can we survive?

  • http://networksecurity.typepad.com/ Juha-Matti

    Cass, is it the latest version OO2.1.0 you have tested?

  • http://blog.pixnet.net/sylphidsu sylphid

    TextMaker 2006 also crash on that doc. :(

  • http://networksecurity.typepad.com/ Juha-Matti

    Vulnerability in OOv2.1 has been confirmed via this:
    http://www.securityfocus.com/archive/1/454514/30/0/threaded