TROJ_CVE20170199.C

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Exploit arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This Exploit connects to the following website(s) to download and execute a malicious file:

• http://{BLOCKED}cx90.com/7500.exe
• http://{BLOCKED}cx90.com/sample.doc

It takes advantage of the following software vulnerabilities to download possibly malicious files:

• CVE-2017-0199

It saves the files it downloads using the following names:

• %Application Data%\Microsoft\Windows\StartMenu\Programs\Startup\winword.exe ← TSPY_DRIDEX.SLP
• %User Temp%\document.doc ← normal document file

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, and 8.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

Other Details

This Exploit does the following:

• Executes the following command to open the document file: cmd.exe /c start /MAX winword /q “%User Temp%\document.doc”

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)