Abs.Net web Page

Share Your Knowledge, Build your Network..

Be Careful of new Virus with MS Word like icon

Posted by Hari Saryono on 18 February 2009


A new virus found (Peb 13, 2009) as MS Word icon having a filesize 3.871 bytes. The symptom is

  • Upon opening the .doc file in Word, Word might crash completely.
  • Unexpected network traffic upon opening the file.
  • Presence of the file jc.html“, having a filesize of 9,892 bytes.

This virus known as : XML_DLOADER.A (Trend)

Characteristics –

This detection covers a malicious Microsoft Word (.doc) document having a filesize of 3,871 bytes that attemps to exploit the CVE-2009-0075 vulnerability patched by Microsoft in the MS09-002 patch release.

The word document uses the xml file format. Upon opening the .doc file, Word may crash. However, it does not always crash–on some occasions nothing directly malicious is visible and Word opens the .doc file fine. A small red cross might be seen temporarily (about a second or two) on the page left above.

There are no macros visible embedded inside the .doc file.

However the file seems to connect to an http address.

A closer examination shows it contains an object classid : “CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389”

This is a reference to the Microsoft Scriptlet Component, called mshtml.dll.

DefaultOcxName, with param name=URL , value=”http://www.chen####.com/bbs/images/alipay/mm/jc/jc.html”>

The exact url address is omitted on purpose here. It tries to access the above website and download a file called “jc.html“, upon testing this file had a filesize of 9,892 bytes. It is an obfuscated JavaScript file, and is detected as Exploit-XMLhttp.d trojan, with DAT-5525 and above.

Method of Infection –

  • Infection starts with the user opening up the .doc file in Word, after which the file jc.html gets downloaded onto the system.
  • Automatic Removal
    Install Mc Afee/ Trend Micro, install update
    Manual Lover
    • Unplug your LAN / internet connection
    • Use total commander to find jc.html. Delete it
    • Find every file with the size 3,871 bytes. Check wether that’s virus (not all files you found is virus, only files with the word icon is virus) and delete it.
    • start/run/ write “regedit” find out and delete E24FDAE-03C6-11D1-8B76-0080C744F389 in the registry
    • restart your computer
    • Check your MS Word again. Hope it’s work
    • Plug your LAN cable. Download Microsoft patch for this file here.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

     
    %d bloggers like this: