This page shows details and results of our analysis on the malware Exploit-PPT


This detections covers a PPT file that exploits the MS06-012 vulnerability (also known as routing slip vulnerability) in PowerPoint.  AVERT has confirmed that the exploit works for Office 2000 under Windows XP. Office 2003 is not vulnerable.

Minimum DAT

4785 (2006-06-15)

Updated DAT

5371 (2008-08-27)

Minimum Engine


File Length

487,936 bytes

Description Added


Description Modified


Malware Proliferation


When a malicious PPT file is loaded into PowerPoint the exploit triggers and control goes to MSROUTE.DLL which passes it to the stack where the shellcode resides. The shellcode extracts a file from the PPT, drops it onto the local disk and executes it. This file is a downloader trojan - it tries to get a file from a URL (http://news.kimoo.com.tw/[censored]). At the time of writing this description the URL was not responding.


Method of Infection

When the PPT file is opened malicious code is executed automatically using a vulnerability in PowerPoint.


All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.