About Me

Chen Yu

Chen Yu

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Next Up: Office Exploits Reloaded

Friday, April 3, 2009 at 1:43am by Chen Yu
Chen Yu

We’ve just seen the Microsoft Excel 0-day attacks in February. Today, Microsoft published a new Security Advisory reporting a new unpatched vulnerability in Microsoft Office PowerPoint.

McAfee Avert Labs investigated and discovered multiple attacks in the field using the PowerPoint exploit. McAfee VirusScan products detects this threat as Exploit-PPT.k trojan using the 5573 DATs to be released on the same day. 

As with most other document exploits, these PowerPoint files install malicious trojans in the background but displays an innocent PowerPoint presentation to the victim as a deceptive measure. The following list shows a variety of malware files installed in these attacks:

  • fssm32.exe: 428,032 bytes (Muster.c trojan)
  • IEUpd.exe : 45,056 bytes (Muster.c trojan)
  • setup.exe : 13, 1072 bytes (Muster.c trojan)
  • PeerCM.exe : 80,666 bytes (Generic BackDoor.u trojan)
  • ws2_42.dll :10,6740 bytes (Generic BackDoor.u trojan)

Some of these specially crafted exploits arrived as PowerPoint Showfiles with the “.pps” extension. Such files typically opens in full screen mode and hides the  applications running on the desktop such as system monitoring tools that could give any clue to the dodgy installation of trojans to the victim.

Please keep your DAT files up-to-date and refrain from opening any PowerPoint files from any untrusted sources until a patch is made available by the vendor. Where possible, verify with the sender to make sure what you get is what was intended.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (1)

  • Angus Scott-Fleming April 3, 2009 6:24AM

    Will the particular PPT/PPS files infect users who are running as standard users on XP? How about “power users” on XP Pro? How about Vista users? Now that we have two common MS OSes (soon to be three with the release of Windows 7) I’d like to know which versions are vulnerable as well as knowing whether or not I need to worry about my non-admin users. Few if any blog entries and VIL.NAI.COM reports include this info.

    Reply