- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
May 19, 2006 | Comments: (0)
Zero day MS-Word exploit in the Wild
This is rated low-risk everywhere and it's not widespread -- still folks should be careful with suspicious Word documents.
MDropper Trojan - Exploits Zero Day vulnerability in MS Word
http://vil.mcafeesecurity.com/vil/content/v_139539.htm
http://www.sarc.com/avcenter/venc/data/trojan.mdropper.h.html
http://secunia.com/virus_information/29277/mdropper.h/
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ginwui.html
Trojan.Mdropper.H is a Trojan horse that downloads other risks onto the compromised computer. This Trojan exploits a 0 day Microsoft Word vulnerability to drop Backdoor.Ginwui.
Thanks to friend, Harry Waldron, for the update.
Posted by Roger Grimes on May 19, 2006 06:40 AM
RATE THIS ARTICLE:
-
- COMMENTS
A fellow MVP, Sandi Hardmeier, noticed that the first CLSID listed in the McAfee web link can be expected to appear on every Windows PC. It is a Microsoft CLSID for non-PNP legacy drivers. The first CLSID listed is okay to find, but the second is probably indictative of an infection.
Per Sandi:
What I'm saying is, I do not believe that the existence of this first key is indicative of infection:
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{8ecc055d
-047f-11d1-a537-0000f8753ed1}
This one, on the other hand, would make me look twice:
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\legacy_gui30svr\0000\drive
r = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"
Every Windows PC I have checked *does* have the first key, but does *not* have the second.
