Trojan attacks via unpatched vulnerability in Word

Glendale (CA) - It took just three days for malware authors to release to exploit a critical security hole in Microsoft Office and Word. According to Panda Software Labs, 1Table.A arrives as seemingly harmless Word document, but unlocks a backdoor trojan that allows a hacker to run code on a victim's computer.

First discovered last Friday by Secunia, Microsoft has released very little information about the vulnerability affecting Office 2002/2003/XP as well as Word 2002/2003, but is already under pressure to release a fix, as hacker attacks are surfacing. According to Panda, the security is currently exploited by the dropper trojan "1Table.A," which is distributed via email to users.

1Table.A appears to be a perfectly normal Word document and cannot send itself automatically, and therefore needs the intervention of an unknowing users or users with malicious intent in order to be distributed, Panda said. The scope of the virus can still be significant, given the popularity of P2P file-sharing networks and simple downloads from web pages.

Once 1Table.A is activated by opening the Word or other office documents, it releases a backdoor Trojan called Gusi, according to Panda. Gusi creates a backdoor on the computer that allows a remote attacker to take "a series of actions." Panda did not say which "actions" are enabled by Gusi.

Microsoft tells users through its Security Response Center Blog that the company is "hard at work on an update." In an effort to provide basic protection for users, the firm said that its anti-malware teams are adding detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit the vulnerability. "We're also actively sharing that information with our Virus Information Alliance partners so that their detection can be up to date to detect and remove attacks," the blog states.

It is unclear at this time when Microsoft will be able to issue a patch for the vulnerability in Office and Word. The company claims that the attack is "very limited" as of now and appears to be happening via the subject lines of "Notice" and "RE Plan for final agreement." Also, Microsoft said that "the emails tend to arrive in groups, they often have fake domains that are similar to real domains of the targets, but the targets are valid email addresses."

However, as it is the case with most virus attacks, the user will have to open the message and document to activate the trojan. The most efficacy protection at this time is simply to update anti-virus software and to be careful which documents are being opened, especially those with unknown origins.