Press Releases

Browse our press release archive

14 Jul 2006

Chinese words of love exploit PowerPoint zero day flaw

PowerPoint file secretly installs keylogging Trojan horse

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, are analyzing a malicious Microsoft PowerPoint file that exploits an unpatched vulnerability in the software in order to spy upon computer users.

The suspect PowerPoint PPT file, which contains "humorous" philosophy about love between men and women and is believed to have been distributed via email, contains exploit code that drops the Troj/Edepol-C keylogging Trojan horse onto users' computers.

The Trojan horse also attempts to disable anti-virus products running on the infected computer.

The PowerPoint presentation discusses relationships between men and women but secretly drops a Trojan horse onto computers

The PowerPoint presentation discusses relationships between men and women but secretly drops a Trojan horse onto computers.

The first slide in the presentation can be translated as follows:

What is romantic? You know the girl doesn't like him, but still sends her 999 roses; What is wasteful? You know the girl does like him, but still sends her 999 roses.

The next slide translates as:

There are two types of women: one is posh, and another is normal. The posh is for somebody else, the normal one is for family and husband.

During marriage a husband only sees his normal wife and during affair the husband will see the posh woman.

This is analysis of the reason why men have affairs. This is wonderful.

In total there are 18 slides in the presentation.

"The hackers exploiting this unpatched hole in PowerPoint appear to have timed the release of their malicious code to deliberately follow Microsoft's monthly security announcement," said Graham Cluley, senior technology consultant for Sophos. "The bad news for Microsoft and its customers is that there was no fix for this problem in that bundle of patches. All computer users need to be exercise great caution over unsolicited email attachments. The only people who are going to have a warm glow inside from the words of love in this presentation are likely to be the hackers behind the attack."

Sophos experts are continuing to examine the Powerpoint file which contains the exploit.

In May, in a similar incident, Sophos reported how hackers exploited a zero day vulnerability in Microsoft Word with the Troj/Oscor-B Trojan horse.

Sophos recommends that companies protect their email gateways with a consolidated solution to defend against viruses, spyware and spam, as well as apply an email policy that filters unsolicited content at the gateway. Businesses should also secure their desktop and servers with automatically updated protection and firewalls.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at