Well, here’s something I haven’t seen in a while: a Word macro virus.
An e-mail message appeared in my Junk Mail folder, purporting to be from someone in France who had been having some trouble transferring funds from one account to another and saw my e-mail address on a list of other addresses associated with the transaction, and blah blah blah. Typical scammer BS.
There was a Zip file (Transfer.zip) attached to the message, which contained a Word document. When I opened the document in Word 2007, I got this error:
That was followed by Enable Content and Trust Center buttons.
Of course, you should never run a macro in a Word document you don’t trust. And under the default settings for Word 2003 you couldn’t do that even if you said yes, because macros are only allowed if they’re signed with a digital certificate from a trusted root authority. In Word 2007, security is even tighter: macros are only allowed to run if they are in documents stored in trusted locations.
Instead of enabling this macro (do I look crazy?), I opened the Visual Basic Editor and looked at its code:
Ah, it’s trying to create an executable file in the root directory of the system drive and then run it. Presumably that big block of gibberish in the center is designed to create a buffer overflow, as described in this SANS bulletin, and it’s probably a variation of the Kukudro Trojan, which arrives in this form.
Moral? Don’t open attachments sent to you by strangers. In fact, even if it appears to be from someone you know, don’t open it unless you were expecting it and you are confident it is what it appears to be.
Ed Bott 