A vulnerability has been identified in Microsoft PowerPoint, which could be exploited by attackers to take complete control of an affected system. This flaw is due to a memory corruption error when handling a malformed presentation, which could be exploited by attackers to execute arbitrary commands by tricking a user into opening a specially crafted document.

Note : This zero-day vulnerability is currently being exploited in the wild by Trojan.Controlppt.W and Trojan.Controlppt.X (also known as PPDropper.F and Exploit-PPT.d).

Affected Products
Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft PowerPoint 2003
Microsoft PowerPoint 2004 for Mac
Microsoft PowerPoint 2004 v. X for Mac

Solution
Use PowerPoint Viewer 2003 to open and view files :
http://www.microsoft.com/downloads/details.aspx?FamilyID=428d5727-43ab -4f24-90b7-a94784af71a4

Do not open or save Office documents received from un-trusted sources.

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft Security Bulletin MS06-055
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)

Got this gem of an email the other day:

Mr. Chow York-wai, Joseph
THE BANK OF EAST ASIA,
DEAN STREET, OFF SHAFTBURY AVENUE,
LONDON, UNITED KINGDOM (UK).
DATE: 17/09/2006.
E-mail: EMAIL ADDRESS REMOVED FOR SECURITY REASONS

Good Morning,
I would not have used this medium (Internet) but I chose to reach you
through it because it is the fastest, surest and most secured medium of
communication. However, this correspondence is un-official and private,
and it should be treated as such. I also guarantee you that this
transaction is hitch free from all what you may think of.

I am Mr. Chow York-wai, Joseph of THE BANK OF EAST ASIA (London Branch) I
am contacting you based on Trust and confidentiality that will be
attached to this transaction. The Management and the Legal department of
our BANK (THE BANK OF EAST ASIA) in a recent meeting, recommended that
the account of MR. JAMES D.CLEERE, who was one of my branch depositor,
should be declared Dormant, confisticated and the depositor's fund sent to
the Bank Treasury according to UK Banking and financial law. He died in
world trade center as a victim of the September 11,2001.Incident that
befall the United State of America; the bank has made series of  efforts
to contact any of the relatives to claim this money but without success,
you can confirm
through  this site:

http://www.september11victims.com/september11Victims/victims_list.htm

MR. JAMES D.CLEERE is an account holder in my branch, he owns a dollar
account with the sum of US$58.2M (Fifty Eight Million, two Hundred
Thousand United States Dollars Only) deposited in a Secret account with my
branch .In fact, since his death, no next of kin of the Dollar account
holder  (the brother) nor any relative of him has shown up for the claim
this because he has the account as a secret account thus he left all the
documents for the deposit with me.

This is where I am interested and where I want you to come in. I want you
to come in as the relation of the deceased, I will give you the relevant
documents and contacts to file the application and then effect the
approvals for the transfer of the money, I will be the one to provide the
vital documents for the claims of the money and then advise you exactly
how we should handle it. Please
include your telephone/fax number/ Home Address when replying this mail
and I will give you more information as soon as you indicate your
willingness to assist in this transaction.

We will use our positions to get all internal documentations to back up
the claims. Do not be bothered that you are not related in any way to him
as I am in position to affix your name as the next of kin. The whole
Procedures will last only 7 working days to get the fund retrieved
successfully without trace even in future. After the transfer of the money
we shall share the money 60-40.that is I will have 60% while you will have
40%. Kindly respond promptly so that I can
advice you on the next step to follow.

PLEASE SEND YOUR RESPONSE TO MY PRIVATE EMAIL ADDRESS AT: (EMAIL ADDRESS REMOVED)

I will be waiting to hear from you.
Yours truly,
Mr. Chow York-wai, Joseph
THE BANK OF EAST ASIA
(London Branch)

Email Header inidcates this email originated from saguntomail.com.

Whois information for saguntomail.com:

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: SEPTEMBER11VICTIMS.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: DNS1.INTERLAND.NET
Name Server: DNS2.INTERLAND.NET
Status: REGISTRAR-LOCK
Updated Date: 02-sep-2006
Creation Date: 11-sep-2001
Expiration Date: 11-sep-2007

>>> Last update of whois database: Mon, 25 Sep 2006 15:32:50 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar’s sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant’s agreement with the sponsoring
registrar. Users may consult the sponsoring registrar’s Whois database to
view the registrar’s reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services’ (”VeriSign”) Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
The data in Register.com’s WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available “as is,” and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

Registrant:
Alex
Spektor, Alex
610 Valley Stream Circle
Langhorne, PA 19053
US
Email: a_spekt@hotmail.com

Registrar Name….: REGISTER.COM, INC.
Registrar Whois…: whois.register.com
Registrar Homepage: www.register.com

Domain Name: september11victims.com

Created on…………..: Tue, Sep 11, 2001
Expires on…………..: Tue, Sep 11, 2007
Record last updated on..: Sat, Sep 02, 2006

Administrative Contact:
Alex Spektor
Alex Spektor
610 Valley Stream Circle
Langhorne, PA 19053
US
Phone: 2157417133
Email: a_spekt@hotmail.com

Technical Contact:
Register.Com
Domain Registrar
575 8th Avenue 11th Floor
New York, NY 10018
US
Phone: 1-902-7492701
Email: domain-registrar@register.com

DNS Servers:

dns2.interland.net
dns1.interland.net

Register your domain name at http://www.register.com

Reply-To: email address is an Yahoo India email address.

This scam follows the pattern of similar emails scams. A banking official needs help recovering funds from a secret account of some deceased individual. Since this is a secret account no relatives are aware that the funds exist. Now he needs my help to recover the funds by acting as a relative of this long dead person. Wow, Mr. Chow you pick me among the millions of people in the world to help you retrieve these funds, of course I will be generously compensated for helping you, NOT. Mr. Chow I’m not the least bit interested in helping you commit a crime.

These scams always work, they play upon a person’s greed. The catch here is they need your personal information and for you to cover any expenses. So you shell out several hundred, may be even a couple thousand to cover the fees involved. Why not, I stand to get several million in return. NOT.

People stay clear of these scams, delete the email. DO NOT answer these.

It’s been a few months since I “Loaded the Code” on the front page of the website. There was a dramatic jump in user subscriptions early this morning.

Wondering why the sudden increase in subscribers; I went looking for a reason. Google Analytics can be a really useful tool. I spotted langalist.com[referral] in the Referring Sources report and decided to check today’s newsletter.

Today’s edition of The LangaList newsletter http://langa.com/newsletters/2006/2006-09-21.htm

Scroll down to 10) Code Load Success Story

You’ll see

PC technical forum re: malware
http://www.malwareteks.com/news.php

To “Load the Code” for your website

Do you have a home page or website? (It doesn’t matter what size.) Please click over to http://langa.com/code.htm , and maybe you can join the thousands of LangaList readers who have “Loaded the Code!” (If you’ve already “Loaded The Code” and are wondering if your site will appear here or on the Langa.Com web site, please see http://langa.com/link.txt )

A new Zero-Day exploit is being used to infect systems. This particular exploit takes advantage of the VML Vulnerability in Internet Explorer. Users become infected by visiting a Porn website.

Details available from SunbeltBLOG:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit- being.html

Other SunbeltBlog entries of interest:
http://sunbeltblog.blogspot.com/2006/09/vml-zero-day-exploit-roundup.h tml
http://sunbeltblog.blogspot.com/2006/09/more-on-zero-day-epic-loads-of -adware.html
http://sunbeltblog.blogspot.com/2006/09/microsoft-advisory-published-o n-vml.html
http://sunbeltblog.blogspot.com/2006/09/using-group-policy-to-block-ze ro-day.html
http://sunbeltblog.blogspot.com/2006/09/minor-change-to-vml-exploit-mi tigation.html
http://sunbeltblog.blogspot.com/2006/09/javascript-no-longer-valid-mit igation.html
http://sunbeltblog.blogspot.com/2006/09/snort-signature-for-vml-exploi t-works.html

Security experts warn an unpatched vulnerability in Internet Explorer may be used to spread malware. A critical flaw in Microsoft’s Direct Animation Path (daxctle.ocx) ActiveX control has spawned proof of concept code but has not yet become the subject of widespread attacks. This proof of concept code can execute on a fully patched Windows XP SP2 system.

Affected Products
Microsoft Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 (Itanium)
Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE
Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition

No patch is forth coming and may not be available until next month’s Tuesday update. Microsoft is investigating the vulnerability. In the mean time restrict which sites you allow to run ActiveX controls or disable ActiveX controls altogether. A workaround is available from the SANS Institutes’s Internet Storm Centre. A simpler solution, until Microsoft releases a patch, is to use an alternative browser; such as Firefox or Opera.

Firefox 1.5.0.7 is a security and stability update that is part of our ongoing program to provide a safe Internet experience for our customers.

• Improvements to product stability
• Several security fixes

Downloads: All Systems & Languages

Security Forums are inundated on a daily basis with pleas for help from victims of the “Smitfraud” family of hijackers that use a ‘rogue’ codec to infect a system.

When you visit certain web sites with video content and you attempt to view one of the videos you are prompted to download a special codec. This ‘codec’ is actually the Zlob Trojan. Which, in turns warns you that your system is infected and prompts you to download and install a rogue anti-spyware application to remove the infection. This malware takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update often and make sure that you install and apply ALL critical updates. Additionally ensure that you are running the latest ‘production’ release of Sun Microsystems Java. Which, is Java 5.0 Update 8; at the time of this writing.

Below are some of the Rogue Codecs in the ‘wild’:

• Emcodec
• emediacodec
• imediacodec
• intcodec
• media-codec
• mediacodec
• Newvidscodec
• nvidcodec
• pcodec
• svideocodec
• v-codec
• vidscodec
• zcodec
• zipcodec

Codec sites to avoid:
http://sunbeltblog.blogspot.com/2006/09/another-fake-codec-site.html
http://sunbeltblog.blogspot.com/2006/09/couple-of-more-fake-codec-site s.html
http://sunbeltblog.blogspot.com/2006/09/another-fake-codec-site_20.htm l http://sunbeltblog.blogspot.com/2006/09/new-fake-codec-site-winmediaco dec_22.html

Rogue codecs are a common method used to lure you into downloading and installing a file that infects your system. If you receive a pop-up stating that you need a special codec for a video, in order to view it, be careful! It very well could be a ‘rogue’ codec that is actually the Zlob Trojan.New variants are released faster than the security forums receive new samples. Because it takes time, on the part of security researchers, to detect these newer variants, it is important to remember that prevention is the key!

• Know what you are downloading.
• Be careful where you surf.
• Do not openly trust attachments or links in e-mail and instant messages.
• Be aware of “phishing” attempts. Cleverly-crafted e-mails that look like they came from an official source like Microsoft, your bank, or some other official office.
• Stay away from cracks and warez sites.
• It is believed that more than half of the files on Peer-to-peer (P2P) file sharing networks are infected. Exercise caution when downloading files using P2P clients.
• Always use a resident antivirus application.
• Use a firewall.
• Only download from trusted sites.

Updates
12 September 2006 - Added link to SunbeltBLOG - Another fake codec site
13 September 2006 - Added link to SunBeltBLOG - Couple of more fake codec sites
20 September 2006 - Added link to SunBeltBLOG - Another fake codec site
24 September 2006 - Added link to SunBeltBLOG - New fake codec site — winmediacodec site

If you have been infected by the Gromozon Rootkit you can now get it removed. Download available from Prevx1.

“What is Gromozon and how did it manage to bypass my current security tools?

Unfortunately Gromozon is not a single infection, but a blended attack designed to bypass traditional anti-malware tools. The end result meaning that the machine is not only infected by several well known Trojans but also a highly dangerous Rootkit. Traditional AV vendors are at the moment dealing with the known infections but overlooking the rootkit.” - Prevx1 Gromozon Rootkit Removal Tool

It is highly recommended that once your machine has been cleaned of this infection, that you read the article, Protect Yourself From Malware: Tools And Tips, and adjust your practices, software, and settings as necessary