Doctor Web examines new exploit for Microsoft Office
April 20, 2017
This vulnerability has been detected in Microsoft Word. Cybercriminals have developed an active exploit for this application, and it has been added to the Dr.Web virus database as Exploit.Ole2link.1. It uses XML technology, whereas previously cybercriminals used OLE objects to exploit Microsoft Office.
This exploit is implemented as a Microsoft Word document with the DOCX extension. Once this document is opened, another file called doc.doc is loaded. It contains an embedded HTA script, detected by Dr.Web as PowerShell.DownLoader.72. This HTA script, written using Windows Script syntax, calls the command interpreter PowerShell. PowerShell processes another malicious script that downloads an executable file to the attacked computer.
Currently, cybercriminals use this mechanism to install Trojan.DownLoader24.49614 on the computers of their victims. This Trojan downloads and runs other malicious software on infected machines.
Dr.Web successfully detects and removes files containing Exploit.Ole2link.1, and, therefore, it poses no threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.