1. The crafted document is opened by a Word process.
2. Exploiting the vulnerability triggers the shellcode in the OLE file.
3. The shellcode installs the Trojan(s) on the victim’s machine. Typically, the Trojan is installed in the following path:
4. The shellcode start a new process of Word and opens as bait an innocent document file embedded in the document. Typically the bait file is dropped at:
5. The shellcode terminates the Word process that opened the crafted document.Because of steps 4 and 5, users will see Word quit and then immediately relaunch with the bait file. If you see this symptom, check with your system administrator. These crafted documents typically arrive as email attachments. Users should always exercise caution when opening unsolicited emails. We also strongly recommend installing the latest fix, from April’s Patch Tuesday. (Refer to the Microsoft Bulletin for more information: http://technet.microsoft.com/en-us/security/bulletin/ms12-027) McAfee detects these malicious document files as:
- Exploit-CVE2012-0158: Detection for MS Office files such as MS Word and MS Excel
- Exploit-CVE2012-0158!rtf : RTF files containing vulnerable OLE containers