Follow:

 

Exploit:Win32/CVE-2010-3333


Microsoft security software detects and removes this threat.

Exploit:Win32/CVE-2010-3333 is a detection for specially-crafted RTF files that try to exploit a vulnerability in Microsoft Word. The vulnerability is discussed in CVE-2010-3333 and resolved with the release of Microsoft Security Bulletin MS10-087.

If you open a document using a version of Microsoft Word that's not updated to the latest secure version, malicious code within the file can run in your PC. We've seen this threat download and drop other malware.

In the wild, we've received samples masquerading as files related to the "Bilawar Bhutto Sex Scandal" and a "New Year's Greeting Card" (with both the file name and message written in Russian).



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

This threat exploits a vulnerability in Microsoft Word. After removing this threat, make sure that you also run Microsoft Update so that your PC is no longer affected by the vulnerability./p>

Threat behavior

Installation

You might get this threat in your PC as a Word document attachment to a spammed email, or shared via social media.

One variant we observed being distributed in the wild in late December 2010 opens a non-malicious Word document (seen below) after doing its malicious paylod.

The message is Russian and translates as:

Dear colleagues and friends!
Happy New Year!

Payload

Downloads and runs other malware

Some variants contain a payload to download and run other malware on your PC. One such variant connected to mywindowsupdate.net/****/svchost.exe and saved the targeted file to <system folder>\a.exe. This file is detected as Trojan:Win32/Turkojan.C.

Drops and installs other malware

Some variants contain a payload to drop and run other malware on your PC. One such variant dropped the file <system folder>\<system folder>\ mspmsnsr.dll\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90. This file is detected as TrojanDropper:Win32/Meciv.A.

In turn, this file drops another service DLL component to <system folder>\wucltul.dll. This file is detected as Backdoor:Win32/Meciv.A.

Analysis by Rodel Finones


Symptoms

The following could indicate that you have this threat on your PC:

  • You might receive a Word document that looks like this:

Prevention


Alert level: Severe
First detected by definition: 1.95.2506.0
Latest detected by definition: 1.177.2208.0 and higher
First detected on: Dec 23, 2010
This entry was first published on: Dec 30, 2010
This entry was updated on: Feb 24, 2014

This threat is also detected as:
No known aliases