New PowerPoint Trojan emerges

By Steve Malone

Posted on 22 Aug 2006 at 10:52

A new PowerPoint zero-day Trojan is making the rounds. The vulnerability appears to be a new one and is unrelated to the one fixed in MS06-048 that has already been the subject of a series of attacks.

Although details are sketchy at present, according to Trend Micro, it appears the Trojan is borne by a specially crafted .PPT file that arrives on a system either downloaded from the Internet or dropped by other malware and attempts to exploit vulnerability in PowerPoint.

The dropper file that has been designated TROJ_MDROPPER.BH then drops a randomly named .exe file dubbed TROJ_SMALL.CMZ in the Windows Temporary folder. When the file executes it allows an attacker to take complete control of an affected system and run arbitrary code.

The Trojan attempts to download all manner of malware from hacker websites and will probably recruit the machine into a botnet. Although the origin of the Trojan is not known, one of the hacker websites traced is apparently located in Taiwan.

According to reports, Microsoft PowerPoint installations used in Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected. All versions of PowerPoint are said to be affected.

There has been no official response from Microsoft at the time of writing. However, if the vulnerability is confirmed, the earliest the users can expect a fix is the next patch Tuesday, scheduled for 12 September. Until then, it is advisable not to open any unsolicited PowerPoint files. Also remember it is possible to include malicious Microsoft Power Point files as embedded files to Microsoft Word files, or Microsoft Excel files. As ever, users are advised to keep their anti-virus software up to date.