Blue Coat Labs

Labs Blog

Malicious Word Document Delivers a Boatload of Fail

Malicious Word Document Delivers a Boatload of Fail

Andrew Brandt

Yesterday, Microsoft put out a blog post about a newly-discovered security vulnerability affecting Microsoft Word 2010. The exploit, the author wrote, "takes advantage of an unspecified RTF parsing vulnerability combined with an ASLR bypass." And while that's important technical information, it doesn't really warn people who don't know what any of that means about what to look out for, and avoid. That's what I'm going to do.

Here's a screenshot of what an attack like the one detailed in the Microsoft post might look like. This is an example of a particular spam email; Both varieties I've seen are constructed in a similar way, with one version telling you that you've received an "eFax" and the other telling you that you've ordered an airline ticket from Air Canada. The scams are remarkably similar to ones that have been circulating for at least a year. As you can see, it delivers these "faxes" and "tickets" in two formats, with no explanation as to why you're receiving this bizarre email in the first place.

In both cases, the spam email provides the recipient with two download links so the victim can retrieve these important "documents." The hotlinks are disguised to look like the content is supposed to come from either the or Web site, but that's a fairly rudimentary HTML trick. Instead, victims download the files -- a link to a .zip archive which contains an executable, and a link to a .doc file -- from another Web address entirely.


The .doc file is what is most concerning. We retrieved a few samples of the email message but the sites hosting the malware all went silent almost instantaneously, so it was hard to obtain samples. Hard, but not impossible.

Here's one set of samples from the Air Canada spam. Note they look like normal .doc and .zip files.

The files were not, as has become commonplace, variants of the "Upatre" Updates Downloader malware, but something entirely different. Both files were significantly larger -- in the 440KB - 500KB size range, compared to Upatre, which is about a twentieth of the size.

Inside the .zip was an unusual executable filetype -- a .pif file. The .pif file's description text in its properties sheet is also suspect: it resembles words formed from random letter combinations.

The malware guys who ran this campaign took a very interesting, obviously serious, new vulnerability affecting Microsoft Word and, quite frankly, blew it for themselves in a number of important ways. That's good, because this could have been much more effective had they not screwed up as thoroughly as they did.

The first stumble was the malicious Word document (a maldoc?) using the wrong file extension. The reported vulnerability, like this document, affects Word 2010, but they named the file with .doc instead of .docx.

On my testbed, I've got a copy of Word 2003, and the .doc file, opened in that platform, looks like a bunch of gobbledegook and does nothing malicious at all. I manually renamed the file with the .docx extension it needed, and to get it to fire off on a system running Word 2003, I installed Microsoft's Office File Format Converter add-on. That did the trick. With the add-on in place, Word 2003 detonated the malware. So I guess that's another vulnerable platform for this malware to function on, but only if you really try hard to make it work.

Here's what Process Explorer saw:

The dropped payload spawned as a child process of wmiprvse.exe, a standard Windows operating system application. It appeared in the %appdata%\Microsoft\Windows folder, named spoolsv.exe, a name shared by the Print Spooler service application that's a standard part of Windows.

Unlike the vulnerability described by Microsoft, this maldoc merely downloaded an executable file from the same Web domain (, shown) hosting the maldoc and .pif files, themselves. The domain has subsequently been cleaned up since the traffic shown above was recorded last Wednesday.

Note the path that it used when it executed; It used a \..\ to navigate one level up from the %temp% directory. Quirky!

Next, that dropped payload itself spawned a child process: a Zbot installer. Zbot, how quaint. The ubiquitous password-stealer strikes again!

Except that the Zbot installation process is another place where the malware guys blew it, big time. If this had been a PC containing actually-valuable information instead of just a testbed, the criminals still would have gotten nothing of value, because the Zbot installation process actually killed the computer.

Apparently, this has been a problem for some time. I've been seeing this become more and more of a problem in the past several weeks: The most recent builds of Zbot install a driver (classified as Trojan-Necurs by some AV companies) that can (at random times) bluescreen the box. On several testbeds over the past month, we've seen this same malware driver, or a variant, cause the box to commit suicide the moment it becomes active, and because the driver sets itself up to run at startup, the box dies during the Windows bootup procedure.

In fact, the box crashes so hard and so fast during bootup, Windows doesn't have time to draw a blue screen of death with the error codes and memory dump information. Instead, it turns a peculiar shade of green and just stops responding, right in the middle of startup, with the little graphic of a moving row of lights stuck in place. Here's a photo of what one of these testbeds looked like when we tried rebooting it right after the malware installed itself. Marvel for yourself at the Olive Drab Screen of Death, an innovation brought to the world by the brain damaged authors of the Necurs malware driver.

For those without a handy drive image available that can restore the computer to a usable state in a few minutes, there's a quick fix for the crash caused by the Necurs malware driver: Reboot the machine into Safe Mode (hit F8 during POST), log in as someone with local Administrator privileges, and navigate to the \drivers folder inside the \system32 folder. Sort the files in that \drivers directory by Creation Date, and remove the 55-60KB .sys file created "today" with a seven- or eight-character long, random, alphanumeric name. You don't have to delete the .sys file, just drag it to the desktop and reboot the computer (and, if you're feeling helpful to the security community, upload the driver file to Virustotal, so the AV vendors will get a copy of it). At this point, you can't declare your computer clean, but at least it will boot up so you can deal with it.

If you search for the file's name in the Registry, you'll be able to find and delete the Registry entry created by the malware installer, but as long as the .sys file isn't where it is supposed to be, you should be able to reboot your box.

And of course, be wary of (and warn others about) these kinds of fake eFax or airline ticket download spam messages. Even though they've been around a while, these attacks are no less dangerous today than they were a year ago.

(Tip of the hat to Nirmal and Ashwin from the Norman Shark team, and Nathan from the WebPulse team for help with this post, and protecting our customers)