Just 24 hours after Microsoft shipped a patch for a critical vulnerability affecting Microsoft Word, researchers at Symantec say they have intercepted a malicious Word .doc rigged with a backdoor Trojan.
The malicious document exploits the workspace memory corruption remote code execution flaw patched in the MS07-060 and signals a renewed push by malware authors to release exploits immediately after Patch Tuesday.
Symantec researcher Orla Cox noted that exploitation of these types of vulnerabilities are very targeted -- aimed at specific companies -- and limited in nature.
In the Patch Tuesday bulletin, Microsoft confirmed that the flaw was being exploited in the wild.
In this instance, the rigged file is named "hope see again.doc" and arrives via e-mail. When the document is opened on an unpatched machine, the exploit drops a Trojan that uses rootkit techniques to avoid detection. The Trojan may also disable security software and programs.
To avoid suspicion, it also creates and opens a clean Word .doc written in Chinese with the same file name.
Symantec warns that the end result is a backdoor on the compromised computer that connects to a Chinese Web site on TCP port 80.