Follow:

 

Exploit:MacOS_X/MS09-027.A


Exploit:MacOS_X/MS09-027.A is a malicious Microsoft Word document that attempts to exploit a known vulnerability in Microsoft Office for Mac. The vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027.

Exploit:MacOS_X/MS09-027.A drops other malware into your computer.



What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product.

Threat behavior

Exploit:MacOS_X/MS09-027.A is a malicious Microsoft Word document that attempts to exploit a known vulnerability in Microsoft Office for Mac. The vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027.

Installation

When run, Exploit:MacOS_X/MS09-027.A drops the following files:

  • /tmp/launch-hse - installs other malware (see Payload section)
  • /tmp/file.doc - a clean Word document, which acts as a decoy to prevent you from suspecting that any malicious activity is going on
  • /tmp/launch-hs - a bash script that runs "launch-hse" and opens "file.doc"
Payload

Installs other malware

Exploit:MacOS_X/MS09-027.A has been observed to install the following malware:

Additional resources

A technical analysis of Exploit:MacOS_X/MS09-027.A is available in the MMPC blog post "An interesting case of Mac OSX malware".

Analysis by Methusela Cebrian Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • /tmp/launch-hse
    • /tmp/file.doc
    • /tmp/launch-hs
  • A Word document named "file.doc" automatically opens

Prevention


Alert level: Severe
First detected by definition: 1.123.708.0
Latest detected by definition: 1.123.708.0 and higher
First detected on: Mar 29, 2012
This entry was first published on: Mar 29, 2012
This entry was updated on: Jul 03, 2012

This threat is also detected as:
  • Exploit.MSWord.CVE-2009-0563.a (Kaspersky)
  • Exploit.CVE-2009-0563.Gen (VirusBuster)
  • EXP/CVE-2009-0563.A (Avira)
  • Exploit.CVE-2009-0563.Gen (BitDefender)
  • Exploit.MS09-027.1 (Dr.Web)
  • OSX/Exploit.MSWord.CVE-2009-0563.A trojan (ESET)
  • Exploit.MS04.CVE-2004-0210-2009-0563.A (Ikarus)
  • Exploit-MSWord.m (McAfee)
  • Troj/DocOSXDr-A (Sophos)
  • Trojan.Mdropper (Symantec)
  • TROJ_MDROPR.LB (Trend Micro)