Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    10:04 am (UTC-7)   |    by

    While China is bracing for the 2008 Summer Olympics that it will be hosting in the capital of Beijing from August 8 to August 24, 2008, malware authors are now also busy mounting attacks that play on this quadrennial sporting event.

    Reports have surfaced about a zero-day MS Word vulnerability affecting Microsoft Word 2002 Service Pack 3. It is said to affect even patched versions of the popular word-processing application on certain MS Office versions. When exploited, the unspecified remote code-execution vulnerability could allow remote attackers to take complete control of an affected system, or cause the application to crash.

    TrendLabs experts confirm that there are malicious .DOC files spreading in the wild, adding the following observation: these use the imminent Olympics to get more users to click on them.

    The samples that TrendLabs has come across are detected as TROJ_MDROPPER.ZT and have the following file names:

    • attachment .doc
    • appeal_letter_of_fttj.doc
    • attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijing.doc
    • lingotto_con_fiat.doc
    • tibetan_independence_vs_beijing_olympic.doc

    Here are screenshots of two of these files:

    These files are zero-day exploits under CVE-2008-2244.

    Furthermore, TrendLabs has seen more than just Trojanized Word files; there are also Trojan samples of .PPT and .XLS circulating, all having to do with the Olympics and the Tibet conflict. The conflict is related to the Olympics as it has spurred pro-Tibetan parties to call for an Olympic boycott.

    Here are screenshots of the PowerPoint samples:

    And a screenshot of one Excel file:

    Trend Micro detects the malicious Excel files as TROJ_MDROPPER.ZY, and the PowerPoint files as TROJ_PPDROP.M. It is important to note that these files are not confirmed to have zero-day vulnerabilities as of yet. Please stand by for updates.

    With 10,500 athletes expected to compete in 28 sports, the Olympics is the most prestigious affair of its kind, and as such commands a worldwide audience. It is thus expected that it will be included in malicious users’ arsenal of social engineering techniques.

    We have already seen it referred to in four separate incidents this year alone, as detailed in these posts:

    • Trojanized .DOC Files in Targeted Attack
    • Trojanized Word Docs Used in Another Targeted Attack
    • Spam Buys Tickets to Euro 2008
    • Storm Makes Fake Quake Felt

    Trend Micro Smart Protection Network already got Trend Micro customers covered by blocking this threat. We urge non-Trend Micro to beware of this particular attack and to use appropriate protection.

    Updates as of July 10, 2008, 3:00 PM, PST


    Upon successful exploitation, TROJ_MDROPPER.ZT executes a shell code which executes an embedded file. The embedded file may be any of the following:

    (Note: %System% is the Windows system folder, which is usually C:WindowsSystem on Windows 98 and ME, C:WINNTSystem32 on Windows NT and 2000, or C:WindowsSystem32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)

    Involved exploit is similar to a previously patched vulnerability, which also allows remote code execution. More information on this vulnerability can be found on this Microsoft page.


    Upon successful exploitation, TROJ_MDROPPER.ZY drops the following files:

    (Note: %User Temp% is the current user’s Temp folder, which is usually C:Documents and Settings{user name}Local SettingsTemp on Windows 2000, XP, and Server 2003.)


    Upon successful exploitation, TROJ_PPDROP.M drops the following files:

    Both TROJ_MDROPPER.ZY and TROJ_PPDROP.M are not zero-day exploits.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice