Chinese malware authors launch Microsoft Word Zero-Day exploits

, posted: 23-May-2006 19:14

Alerts are coming out about new malware that exploits an hitherto unknown vulnerability in Microsoft Word. It is apparently China-based attackers who are sending out email messages with Word attachments. These in turn contain malicious code that install Trojan Horses on Windows PCs which an be remotely controlled by the attackers.

Local anti-virus distributor Chillisoft sent out an early alert about the exploits. Ironically enough, it's PR agency used a Word attachment for the alert.

Chillisoft says the malware is known as Win32/Exploit.MSWord.Smtag or Win32/GinWui and it may pass through existing protection system. Microsoft's Security Research Centre has a fix undergoing testing but Chillisoft says it won't be out until the June security update rollup.

Chillisoft is the distributor for Eset NOD32 anti-virus, and claims their product is able to block any attempt at using the Word Zero-Day vulnerability. It quotes Andreas Marx of AV-Test in Germany, who says Eset was the first anti-virus company with signatures in place to stop the Trojan Horse and also, that the generic detection was able to halt the malware.

US IT security organisation eEye was also early out of the blocks with alerts on the Zero-Day exploits. It says the messages appear to have been sent by someone in the target's organisation and that simply opening the file compromises the system. Two variants have been found in the wild, eEye says: GinWui.A and GinWui.B.

The attacks have been "hand crafted" and targetted so far, eEye states, with only a handful of systems being hit.

The email subject lines eEye has spotted are:

"RE Plan for final agreement"

and the file names for two Word document attachments reported are:


All version of Word are susceptible to the flaw, according to eEye. The exploit gives the attacker rights in the same context as the user being hit - if you run as Administrator, the entire system is open to be exploited.

Be careful with those Word document attachments...

More information

Other related posts:
Do you still use PPTP for your VPN? Don't.
Conficker wreaks havoc
A very non-obvious Firefox security hole plugged

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.