Twin Trojans use PowerPoint to spread
Researchers aren't yet sure if troublesome new Trojan horse programs are exploiting a new PowerPoint flaw or the vulnerabilities Microsoft patched Aug. 8.
Tokyo-based antivirus supplier Trend Micro said it first received samples late last week for Troj.Mdropper-BH. In an analysis on its website, Trend Micro said the Trojan is spread using a specially crafted PowerPoint file that is either downloaded from the internet or dropped on machines by other malware.
If it is successfully downloaded onto a vulnerable machine, Trend Micro said the Trojan checks for the Windows temporary folder in the following path: C:\Documents and Settings\{current user}\Local Settings\Temp. If the path doesn't exist on the machine, it will check for the folder in the following paths: C:\Windows\Temp or C:\WINNT\Temp.
It will then drop a randomly named .exe file in the Windows temporary folder. The .exe file contains the second Trojan, which Trend Micro calls Troj.Small-CMZ. When executed, Troj.Small-CMZ waits for an active internet connection and attempts to access the following URLs to download and execute possibly malicious files: http://61.{BLOCKED}8.35/images/link/ and http://www.th{BLOCKED}st.com.tw/upload/. As of Monday, however, the URLs were not available.
The malware targets machines running Windows 98, ME, NT, 2000, XP and Server 2003.
The SANS Internet Storm Centre (ISC) posted advisories on the issue over the weekend, but was still trying to determine Monday if the malware was targeting a new PowerPoint flaw or the ones Microsoft patched earlier this month.
"They sound very similar to issues reported last July," ISC handler Brian Granier wrote on the centre's Web site. "The question remains whether this is truly a new vulnerability, if Microsoft failed to fix the root cause with MS06-048, or if MS06-048 addresses these issues."
But Finland-based security researcher Juha-Matti Laurio believes the flaw is different from those patched in the MS06-048 update. "I absolutely believe this is a totally new issue because the payload works on a fully patched Microsoft Office workstation," Laurio said in an email exchange. "Vulnerabilities fixed in MS06-048 are different issues. However, it is possible that this vulnerability is related to some issues fixed in MS06-048."
Laurio said he shared his findings with Microsoft, and that the software company said it was investigating.
In an FAQ published on the SecuriTeam blog, Laurio said the flaw is caused by an unknown error when processing malformed PowerPoint documents. Attackers could exploit the flaw to run malicious code on vulnerable machines.
Microsoft did not immediately comment on Laurio's findings.
