Overview
This trojan is installed by Exploit-MSWord.b via a 0-day Microsoft Word vulnerability.
|
Minimum DAT
5161 (2007-11-12) Updated DAT5161 (2007-11-12) |
Minimum Engine
5.1.00 File Length42,496 bytes |
Description Added
2007-11-10 Description Modified2007-11-10 |
Malware Proliferation
Characteristics
This trojan is embedded inside a MS Word document which takes advantage of a MS Word vulnerability. When run, it attempts to open MS Word and users may experience the application failing to load. The MS Word doc itself is detected as Exploit-MSWord.b witht he 5161 DATS.
It drops the two following files into the %SYSDIR% folder:
- KSDHCP.AX - detected as Muster trojan by the 5161 DATS
- WMI32.EXE - detected as Muster trojan by the 5161 DATS
The following registry key is created so that one of the dropped components will load after a restart:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe C:\WINDOWS\System32\wmi32.exe
This trojan runs in memory and attempts to connect to www.google.com to check if there is a valid connection. Once it establishes a connection it will then try to visit the following site to download other malware:
- QIQI.[removed].NET
At the time of writing this description the site was no longer available.
Symptoms
Method of Infection
This threat found to be installed by Exploit-MSWord.b via a 0-day Microsoft Word vulnerability in the wild.
Removal
Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
Variants