PP2007 vunerable to Bloodhound.Exploit.84

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello Stephen,

| I was working in powerpoint, and saved in compatibility mode to .ppt.
Norton
| antivirus immediately pops up telling me i have that virus in the .tmp
file
| and in the .ppt.
| However, when saving is .pptx, it does not infect it.
http://www.symantec.com/security_response/writeup.jsp?docid=2006-100614-2416
-99&tabid=1
|

In order for internal Microsoft testing to attempt to reproduce the symptom
that you are observing, could you please provide some additional details
about your configuration and scenario.

1) What is the name/version of the Symantec product that you are using?

2) Are any other antivirus products installed on your system?

3) Does this occur if you create a new presentation (*.pptx) in PowerPoint
2007 and save it as a PowerPoint 97-2003 (*.ppt) file)?

4) Does this problem occur when saving to legacy file formats (*.doc, or
*.xls) while in compatibilty mode from either Word 2007 or Excel 2007?

5) Does the original *.ppt file you were working on contain any macros?

6) Does the problem occur if you first "Convert" your *.ppt presentation
file (to a *.pptx) and then save the resulting presentation as a PowerPoint
97-2003 (*.ppt) file?

7) If the answer to #6 is "Yes", does it happen if you remove all but 1
slide from your *.pptx presentation file and then save it as a PowerPoint
97-2003 (*.ppt) file?

8) If the answer to #7 is "Yes", could you please attach the 1 slide *.pptx
file to your reply to this post so that I can have our testers look at your
scenario with the smallest possible presentation file which exhibits this
behavior.

Thanks,

John Langhans [MSFT]
Supportability Program Manager - PowerPoint, Drawing & Graphics
 
I was working in powerpoint, and saved in compatibility mode to .ppt. Norton
antivirus immediately pops up telling me i have that virus in the .tmp file
and in the .ppt.
However, when saving is .pptx, it does not infect it.
http://www.symantec.com/security_response/writeup.jsp?docid=2006-100614-2416-99&tabid
=1

Apparently, this is what i should be applying to fix it:
http://www.microsoft.com/technet/security/Bulletin/MS06-062.mspx
I don't see a 2007 there, so what do i do?
Click to expand...

This info has been sent up the line to MS; here's hoping for a prompt answer.
Meanwhile, if you follow the link you posted, you'll see that Symantec is asking for
samples of files that trigger this warning. Please do send an example on to them.

While it's never a good idea to dismiss a security warning like this too blithely,
consider a couple of things:

- Symantec hasn't released a version of Norton AV that's compatible with Office 2007
(which hasn't been released itself).

- This is a file that's just been created, by you. It's not likely that either you
or MS would deliberately craft a malformed PPT file for the purpose of taking over
your computer. You already control your computer and you've installed lots of MS
software on it, so they pretty much have free reign. No need to resort to viruses.
;-)

Between those two things, and the fact that Symantec reports only a few occurrences
of this particular virus in the wild, I'd be tempted to ignore the warning. But then
I'd be running beta software on a "disposable" system, kind of a "What, me worry?"
machine.

If you're worried about it, and who wouldn't be?, I'd avoid saving files as PPT 2003
until you get a better answer from either Symantec or MS.
 
Get ready for some reading, im telling the whole story.
1)The name of the Symantec product i am using is Norton Systemworks 2006
Premier, with latest virus definitions.

2)I have no other antivirus products installed, but i do have antispyware
products installed.

3) I'm unsure about this, so heres the whole story, i'll let you decide:
The virus was detected while working on the powerpoint, and so i could still
move things around. I attempted saving it again, but it also became infected
in the file. I did not try with .pptx. I opened another copy of powerpoint
and copied the slides and saved as .pptx. This was not detected as having any
virus when i saved it. I moved this file to another machine on my home
network, also with powerpoint 2007 as well as windows live Onecare 1.5, it
also did not detect it as a virus. I saved this as Awards.ppt on the other
computer and placed it on a usb storage device along with the pptx and the
compatibility pack for 2003 as a backup.
I took this to work and the .ppt file was not there anymore. I cannot find
any log of it being deleted in Symantec Antivirus (Version 10.0.1.1000,), so
it is possible it did not transfer properly. I opened the .pptx after
installing compatibility pack and it told me i needed to install something
since it was a 2007 file, which i thought i had already installed. It slowly
opened, and then a virus was detected and quarintined in the .tmp file
created by the powerpoint. Norton antivirus originally at home found the
virus in the .ppt
I zipped the .ppt back at home and sent it to the work mail server.The
corperate antivirus product detected it as a virus in the zipped folder and
deleted it. I attached the original .pptx from the other computer at home and
then emailed it again. It was not blocked but when i uncompressed it on my
work laptop, it was detected again and the tmp file quarintined. At home I
moved the .pptx and .ppt back to this computer that it was originally made
on, and it does not appear to have a virus, niether the ppt or the pptx that
Symantec Antivirus says had a virus had it, according to both Onecare and
Norton Antivirus 2006. Either Symantec Antivirus is telling lies, or Home
antivirus products leave a lot to be desired.

4)I get no problem of any kind anymore while saving .ppt files, and the same
is for doc. I dont know whether its infected or not, norton says it isn't,
but relitive to the symantec antivirus product at work, i dont know what to
believe.

5)The powerpoint i made was blank, with a built in template and made from
scratch. No macros that i know of.

6)I no longer have the original infected .ppt file, that norton antivirus
detected. But i do have 4 quarintined .tmp files from Symantec antivirus,
still in quarintine.

7) See 6

8) See 7

Hope this confusing story makes sense.

I know that symantec hasnt released a version that is compatible with 2007,
but i have disabled office protection in Norton Antivirus as this prevented
me from opening any office documents all together.
I know that it was made by me. I definately know that MS wouldnt want to
take over my computer, and unless that myth about antivirus companies making
the viruses themselves is true, i definately know they wouldnt want to make
viruses.

I can only offer the 4 quarintined files for examination, and since they are
in Symantec antivirus, there doesnt seem to be a send to symantec function as
described in that article.
 
I have the laptop here, and have done a few tests.
Opening the pptx does not work, most likely due to the fact that the
compatiblity pack doesn't work for powerpoint. It may be having its tmp files
auto deleted.
But the ppt, as soon as you plug it in, is immediately quarintined by
Symantec Antivirus. This is the same file that is said to be clear by Onecare
and Norton Antivirus 2006. I have submitted the powerpoint to Symantec
through Norton Antivirus 2006.
There are now several tmp files in the Symantec Antivirus quarintine, with
one ppt which i have submitted as mentioned.

I know there are a few reckless decisions over this, but i really want to
get this solved, and if this isnt just one off, not have anyone else having
this problem.
 
Hi,

I had exactly the same problem using Office 2007 Beta 2 TR. I am using the
same version of Symantec Antivirus as my colleagues and they were reading
that i was sending a virus in my files (Bloodhound.exploit.84).

I downloaded the latest antivirus software and it could not find a virus on
my machine (11/10/06).

I then went to windows update and took 10 updates to my machine - a few
security patches for windows XP and a couple for office 2003 - i had to
reboot and go again, as some of the patches wouldn't install until i had
completed the install of previous ones.

After a reboot I ran the antivirus scan (nothing), and then opened my
supposedly infected powerpoint file, and then saved it again under a new
name. This time when i send by email? no problem. Everything is fixed.

I don't know why, but if you try the windows update - it worked for me.

C
 
Hello Stephen,

If you install the latest security updates from Microsoft (as suggested by
caveboy) are you still able to reproduce this problem from scratch?

Thanks,

John Langhans [MSFT]
Supportability Program Manager - PowerPoint, Drawing & Graphics
 
Back
Top