New, unusual targeted attack against MS Office in the wild

Symantec Corporation warns users about a new targeted attack against Office, potentially capable of exploiting an already patched vulnerability found in the most recent editions of the popular productivity suite published by Microsoft.

The trojan detected by the security enterprise (Trojan.Activehijack) comes as an archive attached to a malicious (likely spam) e-mail, and is crafted to exploit one of the vulnerabilities described in the MS11-073 Security Bulletin published on September 2011. The affected software suites include MS Office 2003 (SP3), Office 2007 (SP2) and Office 2010.

The already patched flaw is exploited in a way that is unusual among targeted attacks, Symantec explains: while previously identified attacks come as a single document file containing the exploit, this new one arrives as a pair of files – a Word document and a .dll library file.

Once a user opens the infected document with an unprotected version of Word, an ActiveX control embedded in the document runs and calls the external library which has the same name of the legitimate Microsoft Office FrontPage Client Utility Library (“fputlsat.dll”).

If the exploit is successful, the infected document drops the malware onto the system and deletes the fputlsat.dll library. In its place, Trojan.Activehijack creates a “Thumbs.db” file – a perfect disguise with the same name of the (normally “hidden”) file used by Windows XP to store thumbnails for image files contained in a folder.

Symantec recommends to install all the available patches for productivity software and warns users against opening unwanted or unrequested attachments coming through the mailbox – especially those contained in zipped archives and escorted by a mysterious .dll file.

Report a problem with article
Previous Story

Apple files injunction against Samsung Galaxy Nexus in US

Next Story

Spacewar, the first computer game, turns 50 this week

13 Comments

Commenting is disabled on this article.

Symantec still trying to be legitimate after being made a fool of, how cute. They could at least notify users about exploits that haven't already been patched.

is it even possible to send .EXEs anymore? i dont think so.

last month i was sending a friend setup of teamviewer and had to zip that up else it wont send.

Zain Adeel said,
is it even possible to send .EXEs anymore? i dont think so.
last month i was sending a friend setup of teamviewer and had to zip that up else it wont send.

I'm sure there are other email service out there that offer someone to attach .exe file

Zain Adeel said,
is it even possible to send .EXEs anymore? i dont think so.

last month i was sending a friend setup of teamviewer and had to zip that up else it wont send.

You can send any type of file including exe by just adding an extension like app.exe.doc.

cralias said,
And those people who download DLL files from emails should be kicked in a well.

Try telling that to the people who get infected and yell "I hate this stupid computer.".

cralias said,
And those people who download DLL files from emails should be kicked in a well.

Agreed. I'm annoyed in this day and age that we still have to tell people not to open unrecognised attachments from anyone, especially damn executables.

Majesticmerc said,

Agreed. I'm annoyed in this day and age that we still have to tell people not to open unrecognised attachments from anyone, especially damn executables.

I get annoyed when I have to explain what a file extension is, how when a file has no icon and is sent to you and is called ****name of movie*** then dont spend the next 10 minutes trying your dam hardest to open it. The reason you cant open it is due to the security software installed on your computer, and all this effort to open some vague video file 'someone' sent you will only serve to bypass any protections you have in place which will lead you to call me and comaplain about the 'STUPID F**KING COMPUTER' once more..........

Symantec Corporation warns users about a new targeted attack against Office, potentially capable of exploiting an already patched vulnerability found in the most recent editions of the popular productivity suite published by Microsoft.

and exploitation and an already patched vulnerability.... whoa that's scary

ChrisJ1968 said,
Symantec Corporation warns users about a new targeted attack against Office, potentially capable of exploiting an already patched vulnerability found in the most recent editions of the popular productivity suite published by Microsoft.

and exploitation and an already patched vulnerability.... whoa that's scary

I deal with loads of people who have never ran Windows Updates, and automatic updates were turned off by "some IT guy". So yeah, there are LOADS of people vulnerable to this...

djdanster said,

I deal with loads of people who have never ran Windows Updates, and automatic updates were turned off by "some IT guy". So yeah, there are LOADS of people vulnerable to this...

"Welcome to your first day at work! All of the software you'll use was contracted out to India and we don't see a reason to invest in keeping it robust, so we're going to give you completely unrestricted access to the Internet while locking you out of the ability to keep your workstation up to date because IT likes the word 'deploy' a little too much."