Don’t Download That Attachment! Infected PowerPoint Files Found to Drop Backdoors

Before it was brought to public attention, most viruses were spread through email attachments. The messages usually contained some bogus information or fake promotions, which offered the recipient great rewards or prizes in return for downloading the attached file to fill out and send back to them. Unfortunately, the only people laughing once that happens are the scammers and virus spreaders.

What people are aware of is that opening unknown .EXE, .PDF, or .ZIP files could unleash a hailstorm of viruses onto their computers. Another file extension to add to that list is .ppt, which is a Microsoft PowerPoint presentation file.

Security researchers from Trend Micro have discovered that rogue PowerPoint files, which is has named TROJ_PPDROP.EVL, are currently in circulation. Once executed, the document exploits a Flash vulnerability to drop a backdoor on the infected user's computer.

Here's how the attack works: once the .PPT file is opened, a shell code within the embedded Flash file runs to exploit CVE-2011-0611 and creates a "Winword.tmp" file in the Temp folder. At the same time, it drops a clean "Powerpoint.pps" file so users won't suspect that anything shady is going down.

Based on our analysis, "Winword.tmp" is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malware.

-- Cris Pantanilla, Threat Response Engineer at Trend Micro

So the next time you get an email with an attachment, don't download it. But if you need to, then scan it with your anti-virus program first. Aside from watching out for .EXE, .PDF, .ZIP, and .PPT files, also be on the lookout for email attachments ending in .DOC and .XLS.