We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacksthat involves any of the recent MS Word zero-day vulnerabilities. Atargeted attack begins with an incoming email that has a .DOC fileattached; a very common event that happens to almost everyone everyday. The email sender looks legitimate (it's spoofed of course!) andthe document name is selected to appeal to the recipient. For example,if the targeted user is an accountant, then the document would looklike a tax certificate or an invoice. For members of governments, itcould appear to be an important communication from a Minister. Forfinance brokers, a stocks analysis and so on...
Targeted attacks are not intended for the masses, so we're nevergoing to see the usual "Very exciting greeting postcard.exe" attachedto those emails. But the big question is: what happens when someoneopens the malicious MS Word file? Usually, users don't see much happenand that is the point of these targeted attacks! Nevertheless, here isan interesting video of a machine being compromised by the latest unpatched zero-day vulnerability related to MS Word 2000 (CVE-2007-0515) and exploited by Trojan.Mdropper.W.
The vulnerability is exploited with no crash of MS Word, but withina few seconds the shellcode drops an executable and opens a cleanlegitimate document (with some real content) that deceives the user.The only thing that "smart" users can notice is a kind of "flickering"of MS Word. This is because the malicious code has to terminate andthen re-execute the MS Word application with the new clean .DOC. This"flickering" happens very quickly and is more clearly demonstrated onthe videomentioned above. To protect yourself, you should apply all the latestpatches for Office and be extremely careful with documents received byemail since there are now four unpatched vulnerabilities for MS Word!