Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution
http://www.microsoft.com/
Products affected:
Microsoft Office PowerPoint 2000 Service Pack 3
Microsoft Office PowerPoint 2002 Service Pack 3
Microsoft Office PowerPoint 2003 Service Pack 3
Microsoft Office 2004 for Mac.
Product not affected:
Microsoft Office PowerPoint 2007
Microsoft will take the appropriate action to protect their customers, which may include providing a solution through their monthly security update release process, or an out-of-cycle security update, depending on customer needs.
More information about the vulnerability can be referred to from the below links:
Security Focus
http://www.securityfocus.com/bid/34351/info
CERT - Vulnerability Note VU#627331
http://www.kb.cert.org/vuls/id/627331
There are three viruses in the wild that exploits this vulnerability.
Please refer below for more details:
Detection:
> Symantec detects the malicious PowerPoint file as: Trojan.PPDropper.H.
> Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.AB. The files dropped are detected as TROJ_KUPS.F and BKDR_KUPS.F
> Microsoft detects the malicious PPT as Exploit:Win32/Apptom.gen. The dropped files are detected by Microsoft as TrojanDropper:Win32/Apptom.A, TrojanDropper:Win32/Apptom.B, TrojanDropper:Win32/Apptom.C and Trojan:Win32/Cryptrun.A.
Behavior:
The Trojan arrives as the following email attachment:
[RANDOM FILE NAME].ppt
Once the .ppt is opened, it drops and executes an additional file by exploiting the following Microsoft Power Point vulnerability:
Microsoft PowerPoint File Parsing Remote Code Execution Vulnerability (BID 34351)
The dropped file may create additional files on to the compromised computer and then the Trojan deletes the dropped file. At the time of writing, the following files were created:
%Temp%\PeerCM.exe
%ProgramFiles%\Internet Explorer\IEUpd.exe
%ProgramFiles%\Internet Explorer\IEXPLORE.hlp
%ProgramFiles%\Internet Explorer\ws2_42.dat
%ProgramFiles%\Internet Explorer\ws2_42.dll
%ProgramFiles%\Internet Explorer\ws2help.dll
MD5 & SHA1 hashes:
Please be careful about files with the below MD5 & SHA1 Hashes:
MD5: 8fa472db5f85ce73d589b22979efff
SHA1: e50c6512d307d41f61e1150128add9
MD5: ea1fb578a65098f1813cbf0d5f1fa9
SHA1: cc2b9284b9396f36b61aca17b06a42
MD5: 301d3e6dff463163c15e9a612048a0
SHA1: b08d1ca322e8de04bb920a227ad34c
MD5: 5de89ec7545b90d42c417501a810e9
SHA1: f9b5b020d96540695d76c9a43ca9da
An analysis of the exploit can be referred to from the below link:
Investigating the new PowerPoint issue
http://blogs.technet.com/srd/archive/2009/04/02/investigating-the-new-powerpoint-issue.aspx
Source MMPC Blog
http://blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspx
