Exploit-PPT

This page shows details and results of our analysis on the malware Exploit-PPT

Overview

This detections covers a PPT file that exploits the MS06-012 vulnerability (also known as routing slip vulnerability) in PowerPoint.  AVERT has confirmed that the exploit works for Office 2000 under Windows XP. Office 2003 is not vulnerable.


Minimum DAT

4785 (2006-06-15)

Updated DAT

5371 (2008-08-27)

Minimum Engine

5400.1158

File Length

487,936 bytes

Description Added

2006-06-15

Description Modified

2006-06-20

Malware Proliferation

Characteristics

When a malicious PPT file is loaded into PowerPoint the exploit triggers and control goes to MSROUTE.DLL which passes it to the stack where the shellcode resides. The shellcode extracts a file from the PPT, drops it onto the local disk and executes it. This file is a downloader trojan - it tries to get a file from a URL (http://news.kimoo.com.tw/[censored]). At the time of writing this description the URL was not responding.

Symptoms

Method of Infection

When the PPT file is opened malicious code is executed automatically using a vulnerability in PowerPoint.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants