About a recently discovered 0-day vulnerability in Microsoft Word 2000
Tuesday September 5, 2006 at 2:43 am CST
Posted by Francois Paget
Yesterday McAfee Avert Labs updated the W32/Mofei.worm entry. This threat has recently been seen in the wild being dropped by Microsoft Office documents that used a 0-day exploit to compromise the victim’s computer.
To respond to some questions I received in Paris, I took a look at this sample.
The dropper is a malformed Microsoft Word document exploiting an undocumented and previously unknown vulnerability in Microsoft Word. The file I used for my tests is a Japanese 3 page Word document. It is approximately 79,265 bytes in size. Via the properties windows, we can see 2 five-uppercase-letters names as author and company names. Names started with the letter K. According to the statistics folder it was created on September 1st.
After I opened this document (Office 2000 on a Windows 2000 machine), 2 files were silently installed in my %windir%system32 directory:
- clipbook.dll (30,720 bytes)
- clipbook.exe (33,713 bytes)
A word document was also created in the %windir% directory (28,160 bytes). It is a “clean” copy of the malformed one.
The files in the system32 directory are related to an old network share propagation worm previously named W32/Mofei.worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. It scans IP addresses, tries to gain access to the share by trying weak administrator username and passwords. It creates temp and/or log files in the system32 directory. On my system I noticed a file named clipbook.dat.
The Microsoft Word dropper is now detected as W32/Mofei.worm.dr.
Exe and dll files are now detected as W32/Mofei.worm with DAT-4844. With older signature files, clipbook.exe is detected as “Trojan or variant New Malware.n” (since DAT version 4677).