PowerPoint about the Mayan “end of the world” secretly boobytrapped with malware

Will the world end in 2012Earlier this week my colleagues Peter Szabo and Richard Wang respectively discovered and wrote about malware disguised as a Microsoft Excel spreadsheet used to generate Sudoku puzzles to help pass the time.

This morning I was contacted by another SophosLabs researcher, Scott Sitar, about a booby-trapped PowerPoint presentation titled “Will the world end in 2012?”

Like the Excel spreadsheet, this file contained Visual Basic macro code that drops an executable file called VBA[X].exe, where [X] is a random capital letter. In fact, the macro was functionally identical to that found in the Sudoku puzzle.

Also like the Sudoku generator, this sample required the user to enable macros, but didn’t include the helpful tip on how to do it or really any good reason you might need a macro to learn about the end times.

What are these macros up to? They are designed to construct a valid Windows PE file (Portable Executable) from arrays of single bytes.

While this isn’t particularly new, it would throw off the average user from understanding what these macros are designed to do even if they bothered to take a look.

Screenshot of malicious VB macros

Owl image retrieved by malwareThe EXE file that is extracted is what we call a dropper. It extracts another Windows PE file which downloads a picture of an owl, then contacts a command and control server.

It is designed to download another payload it will rename as Wmupdate.exe, but during our testing no instructions were sent from the command-and-control server to retrieve this payload.

Scott mentioned his suspicions that these were being automatically generated and not necessarily handcrafted by their creators. I think he’s right.

I took a look around and discovered the original, uninfected files that these dangerous macros had been added to.

The presentation about the world ending was created by a preacher in the United States who appears to have nothing to do with this booby-trapped version. Don’t go looking for this presentation though!

His legitimate WordPress blog has been compromised and is currently performing search engine manipulation duties for Viagra pushers, “off-shore” casinos, forex fraud and payday loans.

SEO keywords on compromised blog

If you do want to see what this presentation has to say, I was able to find it online in a safe to view format.

While macro viruses certainly aren’t a new phenomenon, they aren’t something many people think about.

Be careful with documents you acquire from random sources and never enable macros in documents you download or receive as email attachments.

You never know what might be lurking in there, but I suspect it won’t be the end of the world.

A special thanks to Scott Sitar in SophosLabs Vancouver for spotting this and doing all of the analysis necessary to share this story.

Sophos Anti-Virus on all platforms blocks this malware as follows:

WM97/ExeDrop-G: The malicious Office macro
Troj/DwnLdr-KLB: The Windows malware dropped by the above