CharlesF Posted May 9, 2015 Share Posted May 9, 2015 And something more is that this file can had fail in a plain vanilla Win 98but be active when KernelEx is installed... Link to comment Share on other sites More sharing options...
Nomen Posted May 10, 2015 Share Posted May 10, 2015 > And something more is that this file can had fail in a plain vanilla Win 98> but be active when KernelEx is installed... Um, I run Kex on all my win-98 systems. I think it's been discussed in this thread that Kex doesn't convey any of the various heap-spray and buffer-overrun vulnerabilities that NT has to win-98. Link to comment Share on other sites More sharing options...
jaclaz Posted May 10, 2015 Share Posted May 10, 2015 I wouldn't be so sure to attribute the success to Windows 98 alone, but rather to NOT opening that file with some version of MS Word.The Wordpad ".doc converter" most likely strips off anything that is not text and its formatting. If you prefer, if you open that .doc file on a NT family OS with - say - OpenOffice, LibreOffice or Atlantis, very likely the whatever is in them won't be triggered as well, as it is seemingly a WORD macro:https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:W97M/Adnel#tab=2 It is entirely possible that even when opened by Word the macro won't run on 9x systems, but from what you report the macro has never been executed, it simply crashed the converter. jaclaz Link to comment Share on other sites More sharing options...
Nomen Posted May 11, 2015 Share Posted May 11, 2015 When I open the .doc file in MS Word (that is part of Office 2000) I get this message window:-------------------Microsoft Visual Basic (in the title bar) The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.--------------------And while that message is on-screen, this is what the Word window looks like: Link to comment Share on other sites More sharing options...
submix8c Posted May 11, 2015 Share Posted May 11, 2015 If that's an "unknown DOC" file (e.g. you don't know what it is and it shouldn't be trusted), you're asking for it, IMHO.https://support.microsoft.com/en-us/kb/285514The above link answers your question, but not what to do if you shouldn't have run that Macro in the first place. Link to comment Share on other sites More sharing options...
Nomen Posted May 11, 2015 Share Posted May 11, 2015 > The above link answers your question,Well, technically the above link doesn't mention Word 2000. But the point is that for what ever reason (maybe it's the default setting?) I have Word macro's set to "High" (only signed macros can run). With that document open in Word, if I go to Tools, Macros, Visual Basic Editor, that brings up MS Visual Basic project editor, where I see the name of the document in the left-hand project pane. If I try to do anything with it (like expand it, get the properties, etc) I am prompted to provide a Project Password.I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system... Link to comment Share on other sites More sharing options...
jaclaz Posted May 12, 2015 Share Posted May 12, 2015 I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...Well, I would rather attempt "cracking" the Macro password (if possible) and see what is in the actual macro. If it is a "simple", "default" password protection, the good ol' DPB= to DPx= hexedit/replacement:http://stackoverflow.com/questions/272503/how-do-i-remove-the-password-from-a-vba-projecthttp://superuser.com/questions/807926/how-to-bypass-the-vba-project-password-from-excelworks for both Excel and Word VBA projects. jaclaz Link to comment Share on other sites More sharing options...
Nomen Posted May 14, 2015 Share Posted May 14, 2015 I've edited the malicious .doc file in 3 places, rendering 3 internal keys as invalid. While opening the modified document, Word throws up a VB error message for each key, giving me the option to continue loading the project - which I say yes. I can then open the project in the VB editor, and there are 3 code windows (one for the document, and two which are labled as Module1 and Module2). I understand that starting with MS Word 2007, I wouldn't be able to view this code or possibly even open the document given the invalid keys.If anyone wants to see the VB code, I can post them (or the modified document itself) where ever appropriate. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now