New Zero-Day Exploit Targets Microsoft Word
Symantec Security Response is advising users to take extra precautions opening e-mail messages with Microsoft Word document attachments.

On May 19, 2006 Symantec Security Response discovered a new zero-day vulnerability and exploit affecting Microsoft Word 2003 that is being leveraged to carry out targeted attacks.  Successful exploitation of the vulnerability allows the attacker to drop a backdoor Trojan named Backdoor.Ginwui on the victim’s machine.  This Trojan has been observed to send information over HTTP to a specific IP address; however, it is possible for the attacker to leverage the Trojan to gain control of the affected machine and carry out additional attacks.

Current activity appears to be targeting enterprise customers, however we will continue to monitor the situation with respect to our consumer base.

Symantec Security Response has analyzed the threat and has provided protection for it via LiveUpdate and Intelligent Update.  The actual Microsoft Word 2003 document leveraged for the attack is detected as Trojan.Mdropper.H while the malware that is dropped onto the victim machine is detected as Backdoor.Ginwui.  It is possible that the malicious document could also be delivered to a victim by a hostile website, instant message, or through file-sharing, though this has not been observed thus far.

Protect Yourself
To reduce the possibility of being affected by this new exploit and the associated malware, Symantec Security Response advises users to do the following:

1. Never open files contained in email messages sent by those you don’t know and trust.
2. Be extra careful when opening any Microsoft Word documents, whether you receive them as an email attachment or through another means such as a website or instant message.
3. Use a comprehensive Internet security solution such as Symantec Client Security to protect against today's known and tomorrow's unknown threats.

If you own Symantec Products:
If you own Symantec Client Security or Symantec AntiVirus, LiveUpdate will automatically install the latest virus definitions. (Virus definitions can also be updated manually using Intelligent Updater.)

To remove Backdoor.Ginwui from the registry:

Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

a. Click Start > Run.
b. Type regedit
c. Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

d. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

e. In the right pane, delete the value:

"AppInit_DLLs" = "%System%\Winguis.dll"

f. Exit the Registry Editor.

We will closely monitor further information related to this vulnerability, and will provide updates and security content as necessary. For more information, please click on the links below.

Symantec Security Check		Featured Articles New Microsoft Word Vulnerability Raises Alert Levels (Symantec, 5/19/2006) Zero-day Word Flaw Used in Attack (Cnet, 5/19/2006)
Symantec Solutions