Beware what's inside an Office document

Microsoft has released details of a new way Office documents can be used to infect your computer.  The documents can contain disguised OLE objects which are the real danger.

We’ve often said that ‘new’ Office documents (.docx .xlsx etc) are safer than their .doc etc predecessors.  That’s because the new ‘.???x’ files won’t run VBA code.

But hackers are always looking for ways to trick us and they’ve found one by adding a OLE object which carries the virus.   It takes more steps to run the virus code but people still fall for it.

Here’s how this particular trick works and then we’ll look at what should make you wary about opening emails or documents like this.

In this case, a document arrives via email that pretends to be an invoice.

Source: Microsoft plus our cropping

Open the .docx document and you’ll see an innocent looking ‘picture’ in the document with a note in German ““To see a receipt, click twice on the screen.

Source: Microsoft plus our cropping

Double-click on the item and you’ll get a security warning.

Source: Microsoft plus our cropping

The Javascript  .js file is given an innocent looking name but the result is the same … an infected computer.

The Microsoft post goes into some detail about what Trojan:JS/Certor.A does.  It has its own root certificate which looks very sincere but allows the hackers to track even your ‘secure’ HTTPS traffic.

It changes your proxy server settings so that all your web browsing goes via a hackers computer for snooping.  The virus also installs Tor software to hide the hackers computers.

What to look for

There are a few ‘red flags’ that should alert any wary computer user:

  • A bland, almost blank email with no details but an attachment.
  • Yes, the attachment is a .docx file but otherwise the message has all the hallmarks of a scam email.
  • Open the document but instead of opening fully in Word, use the Outlook preview pane.
  • In the document there’s nothing but a request to open yet another item. That’s very unusual so – red flag!
  • Clicking on the object triggers a security warning – BIG red flag!!!!!!!!
  • More tech savvy users will see that it’s Javascript code inside a Word document.  That’s not common or likely.

Happily, this particular virus is known and should be caught by any decent anti-virus software or spam filter.

But the best defence is you … the wary computer user.