Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Microsoft Office Zero-day CVE-2017-0199 threat information

    • Updated:
    • 27 Sep 2017
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Security 10.1
    • Platform:
    • N/A N/A
Summary

CVE-2017-0199 is a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.

Details
Public

Below are the information that can help in preventing this zero-day threat:

The table below shows the files dropped when a machine has been affected by CVE-2017-0199:

File NameSourceSHA256Detection Name / Status
template.doc-11a183f9b8b834b6c959402cb83af59aa38d50d7TROJ_ARTIEF.JEJOTQ
7500.exehxxp://btt5sxcx90.com/7500.exe5e9c76ef1c8c09d9c60ed61ce7998a16afef7c7bTSPY_DRIDEX.SLP
sample.dochxxp://btt5sxcx90.com/sample.docd298e996d094640c87618d15c44b57d8391a357non-malicious word document
template.doc-dd1328da51b4cc4db1bb0bc65523e46cdf759a4aTROJ_ARTIEF.JEJOTQ
last.exehxxp://95.46.99.199/last.exe-already inaccessible
q.dochxxp://95.46.99.199/q.doc-already inaccessible

File Layer

The table below shows the information about the detections done by VSAPI:

SHA256Detection Name
13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575TROJ_CVE20170199.A
3c0a93d05b3d0a9564df63ed6178d54d467263ad6e3a76a9083a43a7e4a9cca5TROJ_CVE20170199.A
b3b3cac20d93f097b20731511a3adec923f5e806e1987c5713d840e335e55b66TROJ_CVE20170199.B/C
d3cba5dcdd6eca4ab2507c2fc1f1f524205d15fd06230163beac3154785c4055TROJ_CVE20170199.B/C
b9147ca1380a5e4adcb835c256a9b05dfe44a3ff3d5950bc1822ce8961a191a1TROJ_CVE20170199.B/C
4453739d7b524d17e4542c8ecfce65d1104b442b1be734ae665ad6d2215662fdTROJ_CVE20170199.A
b9b92307d9fffff9f63c76541c9f2b7447731a289d34b58d762d4e28cb571fbdTROJ_CVE20170199.B/C

Network Layer

The table below shows the products that can stop the threat on the Network Layer:

ProductDetails
WRS BlockingKnown related C&C has been blocked
Deep SecuritySecurity Update 17-015 – Includes coverage for CVE-2017-0199 and some specific protection for MS Word in addition to some other non-related vulnerabilities
Deep Discovery InspectorRule 18 - DNS response of a queried malware Command and Control domain
TippingPoint
  • Filter 27726 – HTTP: Microsoft Word RTF objautlink Memory Corruption Vulnerability
  • Filter 27841 – HTTP: RTF File Implementing objautlink and URL Monikers
  • Filter 27842 – HTTP: Suspicious Obfuscated Powershell Execution
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118401
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.