“Email Blast, From the Past”
Tuesday June 27, 2006 at 4:39 pm CST
Posted by Craig Schmugar
A Microsoft Word document was mass-spammed today, which exploits MS01-034. While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro within. Spammed messages use attachment names such as apple_prices.zip, prices.zip, and sony_prices.zip. The archive contains a file named my_notebook.doc, which contains a list of notebooks for sale:
- Apple MacBook Pro MA463LL/A Notebook PC
- HP Pavilion DV8230US Notebook PC
- Sony VAIO VGN-FS830/W Notebook PC
The DOC also file contains a macro, that drops a downloader trojan, that downloads a parasitic virus that is also a downloader.
The infection trail can be represented like this:
Spammed email message -> ZIP attachment (prices.zip) ->
Malicious DOC file / Macro (my_notebook.doc) -> Dropped EXE file (666inse_1.exe) ->
Downloaded File (zmacro.txt) -> Downloader Files (…)
This is all contributed to the Sality virus author. Sality is a parasitic infector that utilizes DLL injection, and encryption. It also contains a dowloader payload to install Adware, remote access trojans, keyloggers, proxy servers, etc; yet another recent case of a parasitic virus delivering spyware.
Detection for the DOC file and dropped downloader trojan (666inse_1.exe) will be contained in the next DAT release as W97M/Dropexe and Generic Downloader.ab respectively. Existing W32/Sality.t detection (released May 31, 2006) covers the dowloaded Sality virus.
Speaking of old vulnerabilities being targeted by malware, MS03-011 (patched for more than 3 years) is still on the list of top threats being reported by VirusScan Online customers (see Exploit-ByteVerify). Again, this is exploited by the distributors of spyware in the shape of drive-by downloads.