This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft PowerPoint. The document describes related malwares and e-mail attacks as well.

-UPDATE- This vulnerability has been fixed on 8th August with MS06-048 monthly update.


– Several updates done on 15th Jul and 17th Jul and 8th August, 2006.

NOTE: Several Riler category Trojan descriptions included
It is worth of noticing that there is a separate 0-day vulnerability reported in August too.

Q: What is Microsoft PowerPoint 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown error when processing malformed PowerPoint documents. The detailed characteristics is not publicly known, but the component being exploited is mso.dll (a shared Office library). Vulnerability was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in PowerPoint. This flaw has been used in several e-mail attacks against unknown organizations. Microsoft has confirmed these “very targeted” attacks.

Q: How does the vulnerability work?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user. It is known that keylogger and backdoor features are included to malwares exploiting this vulnerability. Additionally, vulnerability is caused due to memory corruption triggered by a specially drafted string in PowerPoint file.
UPDATE: Microsoft informs in new MS06-048 that the vulnerability is caused when Powerpoint parses a malformed shape.

Q: When this vulnerability was found?
A: The first malware description was published on Wednesday 12th July. Microsoft confirmed the existence of vulnerability on 13th July and officially in MSRC Blog on 14th July. There is information about samples received by one AV vendor on 11th July already.

Q: Is this one of the critical vulnerabilities reported on 11th July with MS July Security Bulletins?
A: No. This is new, unpatched vulnerability. Vulnerabilities fixed in MS06-038 etc. are different issues.

Q: Which Windows versions are affected?
A: Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What PowerPoint versions are affected?
A: According to Microsoft Security Advisory #922970 PowerPoint versions 2003, 2002 and 2000 are affected. Several vendors list Office 2000, Office XP (2002) and Office 2003 as affected too.
Three PoCs posted to public mailing list have been tested against PowerPoint version 2003.
UPDATE: Microsoft lists PowerPoint 2000 in Microsoft Office 2000 Service Pack 3, PowerPoint 2002 in Microsoft Office XP SP3 and PowerPoint 2003 in Office 2003 SP1/SP2 as affected.

Q: Is PowerPoint Viewer utility affected too?
A: UPDATE: No. Microsoft lists PowerPoint Viewer 2003 as immune on its Security Advisory #922970

Q: Is Microsoft Works Suite affected too?
A: At time of writing there is no official information about this yet.
UPDATE: Microsoft informs that Microsoft Works Suites 2004, 2005 and 2006 are not affected to this vulnerability.

Q: Is Microsoft PowerPoint for Mac affected in this vulnerability?
A: There is no official information about this. US-CERT lists Mac versions affected too.
UPDATE: Microsoft informs that PowerPoint 2004 for Mac and PowerPoint 2004 v. X for Mac are affected too.

Q: I am using non-English version of PowerPoint 2003. Am I affected?
A: As of 17th July it is impossible to say. Exact information about affected language versions is not available yet.
UPDATE: Microsoft Security Bulletin MS06-048 includes fixes to all language versions of PowerPoint products i.e. patch is needed to localized versions too.

Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. UPDATE: Security advisory was published at Microsoft Security Advisories section of Microsoft TechNet Security site, www.microsoft.com/technet/security/advisory/default.mspx.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software protecting from this specific malware and check that virus signature files are up-to-date.

Q: Is the exploit code of this vulnerability publicly released?
A: UPDATE: Yes. Three separate Proof-of-Concept have been posted to public, non-moderated and moderated security mailing lists on 15th July. These PoCs have been tested against PowerPoint version 2003. However, it is reported that these PoCs demonstrate new, different vulnerabilities.

Q: Does this mean that there are several, unpatched vulnerabilities in PowerPoint?
A: According to the newest information answer is yes.
PoCs introduce the following three vulnerabilities:
#1 memory corruption – CVE-2006-3656
#2 mso.dll – CVE-2006-3655
#3 powerpnt.exe CVE-2006-3660

PoC exploits mentioned reportedly affect a Denial of Service state or enable code execution, but code execution is not confirmed yet. It is worth of mentioning that exploitation in CVE-2006-3656 triggers when a PowerPoint document is closed.
UPDATE: Separate CVE names assigned to these vulnerabilities are the following:
CVE-2006-3656
CVE-2006-3655
CVE-2006-3660

Q: Is these separate malwares related to these three new disclosures yet?
A: No. This is the situation on 18th July, 2006.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: No.

Q: Is it safe to open any .PPT files any more?
A: It is very important not to open PowerPoint files from unknown sources. However, files from familiar sources can cause an infection too if a spoofed e-mail is being used.

Q: Are there any visual effects informing about the infection?
A: Yes. The title page (dia) shows Chinese characters when a malicious PowerPoint document is opened. Screenshot of the first page is included to Sophos document related to this vulnerability (see related item later). The background colour in PowerPoint presentation used is black and the text colour is white, in turn.

Q: Are there any changes to file system made by related Trojan malware?
A: Yes. Files rtfmsv.exe and regvrt.exe are being copied to the Windows System folder when the malicious .PPT attachment is opened.

Q: What are the Registry keys used?
A: Modifications are done under HKCU\Software\SKavx\ and HKEY_LOCAL_MACHINE\Software\SKavx.

Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Explorer process.

Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one Trojan and one dropper component for this malware. The following names are used:

Backdoor.Bifrose.F [Trojan]
Trojan.PPDropper.B [dropper]

BKDR_BIFROSE.DS [Trojan]
TROJ_MDROPPER.AS [dropper]

BackDoor-CEP [Trojan]
Exploit-PPT.b [exploit]

Troj/Edepol-C [Trojan]

Bifrose.UZ [Trojan]

Backdoor.Win32.Bifrose.uz [Trojan]

Backdoor:Win32/Bifrose!E029 [Trojan]

W32/Bifrose.UZ [Trojan]

The list is very coverage. There are some W32/Bifrose based names in use too.

——-
NOTE: The following names assigned on 17th July or later:

Trojan.Riler.F [Trojan]
Trojan.PPDropper.C. [dropper]

TROJ_RILER.B [Trojan]
TROJ_MDROPPER.AK [dropper]

Win32.Fantador.E [Trojan]

Win32/Fantador.E!Backdoor [Trojan]

This new category uses different techniques, e.g. Layered Service Provider (LSP), see
en.wikipedia.org/wiki/Layered_Service_Provider
and
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RILER.B

Q: My AV vendor doesn’t list these names at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of beginning weekend, holiday season etc. The best way is to check the situation from your AV vendor.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released the following Diary entry: isc.sans.org/diary.php?storyid=1484

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: UPDATE: Yes. According to new MSRC Blog posting there is detection added to Windows Live Safety Center (in Beta phase) now.

Q: What is the file attachment name used in attacks mentioned?
A: Name including Chinese characters was used. The attackers can use other names in the future too, because the information about the format of the name used is publicly known.

Q: Is there information about file size used?
A: UPDATE: Yes. The size of the PowerPoint file is 220,160 bytes. Additionally, the .PPT file includes 18 slides.

Q: What is the sender address in use?
A: Reportedly gmail.com addresses are being used.

Q: Are the names of the recipients shown in message including malicious PowerPoint attachment?
A: No. Only name ‘Undisclosed-Recipient:;’ used widely in phishing e-mails etc. was used.

Q: What is the Subject line of e-mails sent in attacks mentioned?
A: Chinese characters have been used.

Q: What is the contents of the PowerPoint presentation?
A: Sophos has a short translation of two first pages located at
www.sophos.com/pressoffice/news/articles/2006/07/chinesewords.html

Q: Is any user interaction needed when opening malicious PowerPoint file?
A: No. Opening a malformed PowerPoint file triggers a vulnerability.

Q: Is it safe to open PowerPoint presentations coming from trusted, known sender during next days?
A: The answer is yes and no. If your anti-virus software is updated it will protect you. If you want protection of one hundred percent you can save presentations first and scan them with your AV software.
These days you can’t trust that the sender information included to message PowerPoint file attached is truthful. If You are not sure, You can always call to the sender if e-mail including .PPT attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files.

Q: Is it possible that malicious PowerPoint files (.PPT file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed PowerPoint files to Web pages too.

Q: Does the filtering PowerPoint documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust.

Q: What is the vulnerable component affecting this vulnerability?
A: Vulnerable components are Mso.dll and Ietag.dll in PowerPoint versions 2003 and 2002 and Mso.dll in PowerPoint version 2000. Ietag library is normally located in folder C:\Program Files\Common Files\Microsoft Shared\Smart Tag. Information about vulnerable components in Macintosh versions of Office is not publicly available.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 8th August, 2006.
UPDATE: Monthly updates mentioned availabe since 8th Aug include fix to this vulnerability.

Q: Is there CVE name available to this vulnerability?
A: Yes, CVE name CVE-2006-3590 was assigned on 14th July. Link to the CVE document is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3590.

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit functionality included.

Q: Is there other payload than backdoor and keylogging functionality included to Trojan malware?
A: Yes. Reportedly this Trojan horse may attempt to disable AV (anti-virus) software. Additionally, it sends system information to the remote Web site. This can help attacker in future attacks.

Q: Is there information about the origin of related malware authors?
A: No. It is known that some of the target Web sites used in attacks mentioned are located in China, in Hong Kong and Jiangsu area. Additionally, some target sites are located in the USA.

Q: What is the TCP/IP port used in related attacks?
A: There are several, random TCP/IP ports in use.

(c) Juha-Matti Laurio, Finland (UTC +3hrs)


-UPDATE-
: MSRC Blog posting states Microsoft has activated their security response process and they have added detection to the Windows Live Safety Center.

Revision History:
1.0 14-07-2006 Initial release
1.1 14-07-2006 Added information about Registry keys used
1.2 14-07-2006 Added Trojan descriptions and information about translation of PPT file contents
1.3 14-07-2006 Added CVE name. Some minor updates.
1.4 15-07-2006 Added information about Windows Live Safety Center protection and PoCs posted to public mailing list
1.5 15-07-2006 Several updates and fixes, added new items
1.6 16-07-2006 Added new item to clarify the existence of multiple vulnerabilities, minor updates
1.7 17-07-2006 Added information about TCP/IP ports used in attacks and more technical information about Trojan. Added CVE names of three separate issues reported by ‘naveed’. Added new item about affected language versions, minor updates and fixes
1.8 18-07-2006 Added information from published Microsoft Security Advisory, added new type of Trojans and droppers. Added new item related to malwares exploiting three separate 0-day vulnerabilties, so-called ‘naveed issues’.
1.9 20-07-2006 Added new Riler category Trojan description, added more Fantador based Trojan names
2.0 04-08-2006 Some minor fixes
2.1 08-08-2006 Added information about published Microsoft Security Bulletin MS06-048. Added new item related to vulnerable Windows/Office components.
2.2 20-08-2006 Added information about separate 0-day vulnerability reported in August (different title field used in related FAQ document)

Thanks to Internet Storm Center handler Bojan Zdrnja for his comments to this FAQ document.