MS Word Zero Day Exploit - its real but there's some misinformation out there...

I spend *far* too much time chasing after false positives in antivirus and antispyware applications, and too much time shouting down misinformation - do a search for the words "false positive" in this blog and you'll see what I mean.  (Note: please do NOT assume that just because Trend is highlighted so often in my blog that they are have more false positives than anybody else - they're don't - its just that I use it more than any other product.  In addition, I have developed an excellent working relationship with Trend over the years in the area of false positives and work closely with them to try and get such problems resolved as quickly as possible.  I find them to be very responsive.  Some members of the online community have come to realise that I can generally get quick action on Trend problems and therefore I am more likely to hear about Trend FPs than problems affecting other products.)

Ok, so now that I've made sure that Trend will still respect me in the morning ;o) let's have a look at the MS Word Zero Day exploit - it is real and has been given various names, including:

Backdoor.Ginwui and TrojanMdropper.H (Symantec)
BackDoor-CKB!cfaae1e6 (McAfee)

Y'know, I wish the antivirus companies would get their act into gear and start ensuring that there is some consistency when they give nasties names.

Now, so far I see no reason to panic.  The exploit that was reported and has some areas of the online community in a tizz seems to have been a limited, targeted attack - think low-level industrial espionage.  That's not to say that others, thanks to this publicity, won't try to do the same thing, but at the moment, incidents of use of the exploit are not running rampant.

Second, I'm seeing some potential misinformation about the symptoms of this infection - we'll lie blame at McAfee's door for this - the problematic knowledgebase article is here:
http://vil.mcafeesecurity.com/vil/content/v_139539.htm

The article states, in the "Symptoms" section:

"Presence of *one or more* of the following Windows Registry key(s):

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gui30svr
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1}
  • HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\ legacy_gui30svr\0000\driver = "{8ECC055D-047F-11D1-A537-0000F8753ED1}\0024"

The problem lies with the reporting of the (highlighted) second registry key as evidence of infection. 

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\ {8ecc055d-047f-11d1-a537-0000f8753ed1} seems to be a standard registry key appearing on every XP Pro machine that I have examined so far.

Now, the first key, referencing gui30svr is suspicious.  The third key, referencing Enum\Root\legacy_gui30svr is also suspicious.

If you have the first key, or the third key, I would have a closer look at your machine.  If you only have the 2nd key (highlighted in red) I would not be worried.

Apparently the problem with the McAfee article has been reported to the powers that be and, hopefully, will be changed soon.  In the interim, PLEASE do not go into a panic and reformat your PC or delete that key on the McAfee article's say-so.

Cool - I'm almost famous - quoted on InfoWorld :o)
http://weblog.infoworld.com/securityadviser/archives/2006/05/zero_day_msword.html