Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit-MSword.a Question


  • Please log in to reply
21 replies to this topic

#1 Nawtheasta

Nawtheasta

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 05 August 2011 - 09:21 PM

Dell XPS sustem, Win 7 Ultimate, 64 bit
In reviewing my McAfee security center I noticed that three scans ago, July 22, McAfee quarantined 5 Trojans, Exploit-MSword.a I have no symptoms of infection except the quarantine notice from the McAfee scan report.
These were all associated with a specific word docx. document This looks like a document I created and I see nothing special about it. Looks like I did cut and paste some text from a Yahoo E-Mail.
Just to be on the safe side I copied the text from the preview view and saved that to a 97-2006 doc. Made a folder and struck the original in there marked bad.
Two questions
McAfee indicates that Trojan has been quarantined but the original document is still in it's original folder.Was the Trojan piggybacked onto the docx. document thus allowing the bad stuff to be quarantined separately from the document itself or would opening this document reinfect the system?
I believe I have read that viewing a document in preview is safe. Is this the case?


Updated and did a quick scan with MBAM, all clear

Updated and did a full scan with SAS.
5 regular tracking cookies and one cookie marked b.ads2msads.net ( Flash Cookie?)SAS quarantined and removed.

Just kind of curious about this. Input is welcome.
Thanks in advance
Nawtheasta

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:08 PM

Posted 06 August 2011 - 12:58 PM

A vulnerability exists in Microsoft Word that could allow for arbitrary code execution. This could be exploited successfully if a victim were to open a specially crafted Word document obtained via an email attachment or downloaded from a malicious website.

Microsoft Word is an industry standard word processing application. A vulnerability is present in Microsoft Word that may allow for arbitrary remote code execution. The flaw lies in processing of Microsoft Word documents containing certain malformed data structures. The resulting memory corruption could allow a remote attacker the ability to execute code at the rights level of the victim.

Microsoft Word Malformed Data Structures Vulnerability

If you suspect a file was falsely detected (a false positive) or appears suspicious, then you should submit a sample to the anti-virus's lab for analysis. Most anti-virus vendors have instructions for sample file submissions posted on their web sites. Once a file is received, a technician can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.

McAfee VirusScan includes the ability to submit suspicious files directly from the Quarantine feature to the McAfee AntiVirus Emergency Response Team (AVERT) for research. See Submit a Sample To McAfee. You can also use the McAfee Labs Tool via ServicePortal & Platinum Portal.


Cookies are text string messages given to a Web browser by a Web server. Whenever you visit a web page or navigate different pages with your browser, the web site generates a unique ID number which your browser stores in a text (cookie) file that is sent back to the server each time the browser requests a page from that server. Cookies allow third-party providers such as ad serving networks, spyware or adware providers to track personal information. The main purpose of cookies is to identify users and prepare customized Web pages for them.

  • Persistent cookies have expiration dates set by the Web server when it passes the cookie and are stored on a user's hard drive until they expire or are deleted. These types of cookies are used to store information between visits to a site and collect identifying information about the user such as surfing behavior or preferences for a specific web site.
  • Session (transient) cookies are not saved to the hard drive, do not collect any information and have no set expiration date. They are used to temporarily hold information in the form of a session identification stored in memory as you browse web pages. These types of cookies are cached only while a user is visiting the Web server issuing the session cookie and are deleted from the cache when the user closes the session.
Cookies can be categorized as:
  • Trusted cookies are from sites you trust, use often, and want to be able to identify and personalize content for you.
  • Nuisance cookies are from those sites you do not recognize or often use but somehow it's put a cookie on your machine.
  • Bad cookies (i.e. persistent cookies, long term and third party tracking cookies) are those that can be linked to an ad company or something that tracks your movements across the web.
The type of persistent cookie that is a cause for some concern are "tracking cookies" because they can be considered a privacy risk. These types of cookies are used to track your Web browsing habits (your movement from site to site). Ad companies use them to record your activity on all sites where they have placed ads. They can keep count of how many times you visited a web page, store your username and password so you don't have to log in and retain your custom settings. When you visit one of these sites, a cookie is placed on your computer. Each time you visit another site that hosts one of their ads, that same cookie is read, and soon they have assembled a list of which of their sites you have visited and which of their ads that you have clicked on. Cookies are used all over the Internet and advertisement companies often plant them whenever your browser loads one of their banners.

Cookies are NOT a "threat". As text files they cannot be executed to cause any damage. Cookies do not cause any pop ups or install malware and they cannot erase or read information from a computer.

Cookies cannot be used to run code (run programs) or to deliver viruses to your computer.

Microsoft's Description of Cookies

To learn more about Cookies, please refer to:Flash cookies (or Local Shared Objects) and Evercookies are a newer way of tracking user behavior and surfing habits but they too are not a threat, nor can they harm your computer.

An Evercookie is a Javascript API created and managed persistent cookie which can be used to identify a user even after they have removed standard and Flash cookies. This is accomplished by creating a new cookie and storing the data in as many storage locations (currently eight) as it can find on the local browser. Storage mechanisms range from Standard HTTP and Flash cookies to HTML5's new storage methods. When evercookie finds that other types of cookies have been removed, it recreates them so they can be reused over and over.Flash cookies are cookie-like data stored on a computer and used by all versions of Adobe Flash Player and similar applications. They can store much more information than traditional browser cookies and they are typically stored within each user’s Application Data directory with a ".SOL" extension, under the Macromedia\FlashPlayer\#SharedObjects folder. Unlike traditional cookies, Flash cookies cannot be managed through browser controls so they are more difficult to find and remove. However, they can be viewed, managed and deleted using the Website Storage Settings panel at Macromedia's Support Site. From this panel, you can change storage settings for a website, delete a specific website or delete all sites which erases any information that may have been stored on the computer. To prevent any Flash Cookies from being stored on your computer, go to the Global Storage Settings panel and uncheck the option “Allow third-party Flash content to store data on your computer”. For more information, please refer to:As long as you surf the Internet, you are going to get cookies and some of your security programs will flag them for removal. However, you can minimize the number of them which are stored on your computer by referring to:Third party utilities to Manage (view & delete) Cookies:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 06 August 2011 - 03:12 PM

Thank you very much quietman7 for your detailed response.
I use this computer for my small business ( A company of one.). I get paranoid over any potential problems.
I am still a bit puzzled about the quarantined items.The document named in the quarantine information by McAfee is still present in my computer. I believe I created and named this this around 7/20. For the most part it only contains my own typing. I use Yahoo Email. I had received an E mail from a vendor. It appears I opened a reply window and cut and pasted text from that into this document. There was no attachment with that E mail.
I had two copies of this docx.One in a customers folder and one in the vendors folder.Since McAfee shows the name of this document in 5 separate quarantines all from the same time I might have thought that the document itself was quarantined however this does not seem to be the case. Both copies appeared to be still present in their original folders and when highlighted the text is visible in the preview feature. It contains notes I made to myself regarding a customer quotation.
If not the entire docx. document what did McAfee quarantine?
Also where this document has cost and pricing information I am a bit reluctant to submit the quarantined item to McAfee if I thought it would contain the text.
I thank you again for your input.
Best Regards
Nawtheasta

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 07 August 2011 - 07:58 AM

What version of Microsoft Word do you use?
When you say that it "looks" like a document you created, does it mean that you are not sure?
Could it also be a document that was mailed to you or you downloaded?
And that vendor that send you an e-mail? Do you know and trust this vendor? Did you expect said e-mail?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 07 August 2011 - 10:24 AM

Hi Didier Stevens and thanks for your response!
Just purchased this Dell in April. Also bought the latest version of MS Office from Dell.The version of word is " Word 2010".
Documents are "docx"
When I say this looks like a document I created I have to say yes. Where this document contains my current notes the most likely way it was created is that I just made a new word document in the customer or vendors folder. It has a unique name that I saved it as. Like 'XYZCompanyquotationinfo".
I have downloaded a few attachments from other vendors that were word documents. Nothing from this vendor though.
When I make an important or useful document I will sometimes save it to the vendor folder and then save the identical one to the customers folder or vise versa. That's what I appear to have done with this.
The McAfee quarantine location is listed as C:\users\myname\AppData\Roaming\MicrosoftwordXYZCompanyquotationinfo (then numbers).
I also just looked at the customer and vendor folders. This had been the only docx document in either. Others are word 1997-2003
The vendor is from Italy. I have done business with them for 15+ years.The Yahoo E mail from them was a response to my inquiry regarding current pricing for their product. Any text transferred to my document was a cut and paste from the regular Yahoo E mail text. Not a download.
Thanks again for your input
Best Regards
Nawtheasta

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 07 August 2011 - 02:47 PM

Is it Word 2010 32-bit or 64-bit?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 07 August 2011 - 02:57 PM

Windows 7 Ultimate 64 bit. MS Office was installed by Dell at time of purchase.
Also, I have no symptoms or problems. McAfee seemed to deal with it during the regular scan on July 22. There have been two scans since with nothing found. Curious about it because it just seems odd. I did use the highlighter tool on some of the text. Don't know if that has any meaning.
Regards
Nawtheasta

Edited by Nawtheasta, 07 August 2011 - 03:05 PM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 07 August 2011 - 03:08 PM

No, I want to know if MS Office 2010 you have is 32-bit or 64-bit, not Windows 7. Take a look in the About File / Help dialog.

Edited by Didier Stevens, 07 August 2011 - 03:37 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 07 August 2011 - 03:40 PM

Sorry, I just assumed everything would be 64 bit.
I opened a created docx. document and it shows that it is Version 14.05128.5000 ( 32 bit)
I hope this answers your question.Please let me know if you need more info.
Thanks for your responses.
Best Regards
Nawtheasta

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 08 August 2011 - 07:56 AM

No problem, many applications are still 32-bit only (32-bit applications run fine on 64-bit Windows). MS Office 2010 is the first Office version to come out in 64-bit version.

If you would have had 64-bit Office, then we could have been sure that your machine was not infected, since Exploit-MSWord.a was discovered in 2006 (Exploit-MSWord.a), long before 64-bit office came out, so it has to be a 32-bit exploit.

Since you haven't received any suspicious e-mail attachments, and that you believe you created the file that was quarantined yourself, there a significant chance it is a false positive.
Sending the file to an AV service like VirusTotal.com would help us determine if it is a false positive or not, but you mentioned that this is not an option. We could try indirectly, e.g. by looking up the hash of the quarantined file on VirusTotal. Do you know how to calculate an MD5 hash?

Edited by Didier Stevens, 08 August 2011 - 07:57 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 08 August 2011 - 11:08 AM

I was curios about the location shown in the quarantine info.
C:\Users\User\AppData\Roaming\Microsoft\Word. I did a Google search and this is what I found

C:\Users\User\AppData\Roaming\Microsoft\Word
These are the files offered when word restarts and gives you the Document Recovery Pane.

I do remember that word did crash one time with the new computer. These could have been created during that incident. Don't know how that may be related to Exploit a unless the legitimate autosave function some how looks similar to the potential Trojan.
Regarding MD5 hash. No I would have no idea how to do that but I would be willing to have a go.Can you advise what to do?
I do appreciate your time in answering me. If however this is too technical or time consuming for you to advise about this further I would understand.
Best Regards
Nawtheasta

#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 09 August 2011 - 04:25 AM

Here's some more info that affirms my idea you are dealing with a false positive. People have had this before with McAfee:
http://forums.majorgeeks.com/showthread.php?t=242036

Here's howto calculate the MD5.
Download hashmyfiles.zip from NirSoft: http://www.nirsoft.net/utils/hash_my_files.html
Extract hashmyfiles.exe and run it (there is no install).
Add your quarantined Word document.
The MD5 hash will be listed under MD5. Report the value here please (to copy to the clipboard: select the line for your Word file and hit F7).

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 09 August 2011 - 08:22 AM

Hi Dider
I understand the steps outlined except one. How do I add the quarantined item without removing it from quarantine? The McAfee quarantined item report does show a C:\ location. Do I just cut and paste this??
Regards
Nawtheasta

#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:08 AM

Posted 09 August 2011 - 08:56 AM

Didn't you get the file out of quarantine? You wrote:

Made a folder and struck the original in there marked bad.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Nawtheasta

Nawtheasta
  • Topic Starter

  • Members
  • 398 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:07:08 PM

Posted 09 August 2011 - 10:15 AM

Hi Didier
No I did not remove it from quarantine. That was one of the puzzling aspects of this. That is why I was asking if quarantined why did the file still seem to be in the original folder?
When I became aware that McAffe had indicate a problem what I did was single click the document making a preview show up. I cut and pasted the text into a 1997-2003 document and saved it. I took the original docx. document and moved it into a new folder marked bad.
I have looked again at the quarantine information. I wish I could cut and past this but it does not let me.
It shows the document name like this XYZCompanyquotationinfo(autosaved30164680188...
The location listed does not mention autosave. I would guess that it is the autosave copies that were quarantined?? Since the original was not quarantined might that be an additional indicator of a false positive?
Best Regards
Nawtheasta




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users