This page shows details and results of our analysis on the malware Exploit-PPT

Download Current DAT

Threat Detail

  • Malware Type: Trojan
  • Malware Sub-type: Exploit
  • Protection Added: 2006-06-15

This detections covers a PPT file that exploits the MS06-012 vulnerability (also known as routing slip vulnerability) in PowerPoint.  AVERT has confirmed that the exploit works for Office 2000 under Windows XP. Office 2003 is not vulnerable.

Minimum Engine


File Length

487,936 bytes

Description Added


Description Modified


Malware Proliferation

When a malicious PPT file is loaded into PowerPoint the exploit triggers and control goes to MSROUTE.DLL which passes it to the stack where the shellcode resides. The shellcode extracts a file from the PPT, drops it onto the local disk and executes it. This file is a downloader trojan - it tries to get a file from a URL ([censored]). At the time of writing this description the URL was not responding.

When the PPT file is opened malicious code is executed automatically using a vulnerability in PowerPoint.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.