Hi all, Just an FYI, there is a neat little PowerPoint Trojan that we received from a helpful source yesterday. It appears to be exploiting this vuln: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx I extracted the PE file(s) out of the ppt and got only 3 recognizing the file as malicious: I have the binary to available AV vendors by request. I found the blind drop and have recovered all the stolen files. Thanks. Antivirus Version Update Result AntiVir 6.34.0.24 04.20.2006 no virus found Avast 4.6.695.0 04.21.2006 no virus found AVG 386 04.21.2006 no virus found Avira 6.34.0.56 04.21.2006 no virus found BitDefender 7.2 04.22.2006 Trojan.PPT.A CAT-QuickHeal 8.00 04.21.2006 no virus found ClamAV devel-20060202 04.22.2006 no virus found DrWeb 4.33 04.21.2006 BACKDOOR.Trojan eTrust-InoculateIT 23.71.136 04.22.2006 no virus found eTrust-Vet 12.4.2171 04.21.2006 no virus found Ewido 3.5 04.21.2006 no virus found Fortinet 2.71.0.0 04.22.2006 suspicious F-Prot 3.16c 04.21.2006 no virus found Ikarus 0.2.59.0 04.21.2006 no virus found Kaspersky 4.0.2.24 04.22.2006 no virus found McAfee 4746 04.21.2006 no virus found NOD32v2 1.1501 04.21.2006 probably unknown NewHeur_PE virus Norman 5.90.16 04.21.2006 W32/Malware Panda 9.0.0.4 04.21.2006 Suspicious file Sophos 4.04.0 04.21.2006 no virus found Symantec 8.0 04.22.2006 no virus found TheHacker 5.9.7.132 04.21.2006 no virus found UNA 1.83 04.21.2006 no virus found VBA32 3.10.5 04.19.2006 no virus found Aditional Information File size: 144514 bytes MD5: d8ec5f57861104fba4ee2e3f12cfa5a8 SHA1: 94d2202fb50df5a8e00f5da50b8e0783ec144465 Norman SandBox: [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@xxxxxxxxx - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File might be compressed. * Decompressing ASPack. * File length: 144514 bytes. [ Changes to filesystem ] * Creates file C:WINDOWSSYSTEM32wbemwmiadapt.exe. * Creates file C:WINDOWSSYSTEM32systhin.dll. [ Process/window information ] * Modifies other process memory. * Creates a remote thread.
