Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:		Low
Reported infections:		Low
Damage potential:		High
Distribution potential:		Low

Malware Overview

This Trojan may arrive on a system as a file attached to a spammed email message, dropped by other malware, or downloaded by an unsuspecting user when visiting malicious Web sites.

When executed, this specially crafted .DOC file exploits the Windows Visual Basic vulnerability. For more information regarding the said vulnerability, refer to the following Microsoft Web page:

Microsoft Security Bulletin MS06-047

Once it successfully exploits the said vulnerability, this Trojan attempts to drop and execute a file detected by Trend Micro as BKDR_AGENT.EUC.

As a result, the routines of the dropped backdoor are exhibited on the affected machine.

Solution:

Note: Before proceeding with the succeeding solution sets, please close all instances of Microsoft Word.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_MDROPPER.BU and BKDR_AGENT.EUC. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patch

This malware exploits a known vulnerability in Windows. Download and install the fix patch supplied by Microsoft.

Refrain from using the affected software until the appropriate patch is installed. Trend Micro advises users to download critical patches upon release by vendors.