Alert Raised for MS Word Zero-Day Attack | eWeek

Alert Raised for MS Word Zero-Day Attack

Written By
Ryan Naraine
Ryan Naraine
May 19, 2006
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A zero-day flaw in the ubiquitous Microsoft Word software program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers.

Symantecs DeepSight Threat Analyst Team has escalated its ThreatCon level after confirming the unpatched vulnerability is being used “against select targets.”

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail. However, when the document is launched by the user the vulnerability is triggered to drop a backdoor with rootkit features to mask itself from anti-virus scanners.

The SANS ISC (Internet Storm Center) said in a diary entry that it received reports of the exploit from an unnamed organization that was targeted. “The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software,” said Chris Carboni, an ISC incident handler tracking the attack.

When the .doc attachment is opened, it exploits a previously unknown vulnerability in Microsoft Word and infects a fully patched Windows system. The exploit functioned as a dropper, extracting and launching a Trojan that immediately overwrites the original Word document with a “clean,” uninfected copy.

“As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new clean file is opened without incident,” the ISC explained.

Microsoft has been notified and is working with security researchers to investigate the bug.

Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs, said the attack “feels like espionage, perhaps industrial.”

After looking at a sample of the malware code, Thompson said the backdoor is programmed to call back to a server in China to report information about what the infected system looks like.

In addition to providing reconnaissance, the backdoor can connect to specified addresses to receive commands from the malicious attacker.

Finnish anti-virus vendor F-Secure said a successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

The ISC said the attack was traced to the Far East, with domains and IP addresses associated with the Trojan registered in China and Taiwan. “The [attack] e-mails received originated from a server in that region. The attackers appear to be aware that they have been outed, and have been routinely changing the IP address associated with the URL above,” the Storm Center said.

Symantecs DeepSight team said the exploit successfully executes shellcode when it is processed by Microsoft Word 2003. The malicious file caused Microsoft Word 2000 to crash, but shellcode execution did not occur.

As a temporary mitigation method, Symantec is recommending that Microsoft Word document e-mail attachments be blocked at the network perimeter. “Furthermore, extreme caution should be exercised while processing Microsoft Word attachments received as an unexpected e-mail Attachment,” company officials said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.