Alert level

Exploit:MacOS_X/MS09-027.A

(?)

Encyclopedia entry
Updated: Jul 03, 2012  |  Published: Mar 29, 2012

Aliases
  • Exploit.MSWord.CVE-2009-0563.a (Kaspersky)
  • Exploit.CVE-2009-0563.Gen (VirusBuster)
  • EXP/CVE-2009-0563.A (Avira)
  • Exploit.CVE-2009-0563.Gen (BitDefender)
  • Exploit.MS09-027.1 (Dr.Web)
  • OSX/Exploit.MSWord.CVE-2009-0563.A trojan (ESET)
  • Exploit.MS04.CVE-2004-0210-2009-0563.A (Ikarus)
  • Exploit-MSWord.m (McAfee)
  • Troj/DocOSXDr-A (Sophos)
  • Trojan.Mdropper (Symantec)
  • TROJ_MDROPR.LB (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.123.708.0
Released: Mar 29, 2012

 

Summary

Exploit:MacOS_X/MS09-027.A is a malicious Microsoft Word document that attempts to exploit a known vulnerability in Microsoft Office for Mac. The vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027.

Exploit:MacOS_X/MS09-027.A drops other malware into your computer.


Top

 

Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • /tmp/launch-hse
    • /tmp/file.doc
    • /tmp/launch-hs
  • A Word document named "file.doc" automatically opens

Top

 

Technical Information (Analysis)

Exploit:MacOS_X/MS09-027.A is a malicious Microsoft Word document that attempts to exploit a known vulnerability in Microsoft Office for Mac. The vulnerability was resolved with the release of Microsoft Security Bulletin MS09-027.

Installation

When run, Exploit:MacOS_X/MS09-027.A drops the following files:

  • /tmp/launch-hse - installs other malware (see Payload section)
  • /tmp/file.doc - a clean Word document, which acts as a decoy to prevent you from suspecting that any malicious activity is going on
  • /tmp/launch-hs - a bash script that runs "launch-hse" and opens "file.doc"
Payload

Installs other malware

Exploit:MacOS_X/MS09-027.A has been observed to install the following malware:

Additional resources

A technical analysis of Exploit:MacOS_X/MS09-027.A is available in the MMPC blog post "An interesting case of Mac OSX malware".

Analysis by Methusela Cebrian Ferrer


Top

 

Prevention

Take these steps to help prevent infection on your computer.


Top

 

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product.

Top

Provide feedback