0-Day attack in the Microsoft Word environment

On May 18 and 19, two Trojans appeared exploiting a flaw in the Microsoft Word XP and Word 2003 environments. For now, this previously unknown vulnerability is not covered by any patch. Once again we are witnessing a “0-Day” attack. Code exploiting the vulnerability is generically detected by McAfee as Exploit-OleData.gen. On Windows 2000, a crash occurs and stops the process without infection.

The first attack was publicly announced last Thursday by the SANS Institute. The malware came in an e-mail and was sent to several people from an Asian organization which name was not revealed. The exploit code is executed out on first opening of the Word document. It quietly installs a PE format binary encapsulated program (here it is a backdoor) which disappears from the document itself becoming unsuspicious and inoffensive. McAfee detects the EXE file under the name of BackDoor-CKB!cfaae1e6.
A second program was diffused according to a similar method. This one is detected under the name of BackDoor-CKB!6708ddaf.

The group launching the attack is said to have operated from China or Taiwan. It acted in an extremely precise way by creating an e-mail containing specific elements directly linked to the targeted organization. Consequently, it seems improbable that these e-mails spread in the wild. For information the subjects of these e-mails are :

• Note
• RE Final for plan agreement

The DOC files bear the name of FINAL.DOC or PLAN.DOC.

It seems that to succeed, the attack requires administrator rights. It is thus useful to remember that installation of accounts with limited rights increases the level of security of work stations.
Microsoft hopes to provide a patch, at the latest, for June 13.