Monday, May 3, 2010

Suspicious behavior in Microsoft Office 2010

For my consulting project, I was working on a Word document which required extensive formatting and frequent editing. This document was created using Microsoft Word (in the clients system) and at times I had to update it when I was in my home. Unfortunately I don't have a valid license of Microsoft Word on my home laptop (I do have a valid XP license though.)

I first tried using Nivio; this site provides a free one month trial for using their Web Services which includes an installed version of Microsoft Office. My Photon Whiz connection tried really hard to give me a good experience of using Nivio's "always turned on" web services, but better sense prevailed; I accepted the fact that I have to install Microsoft Office on my laptop.

I decided to give Microsoft 2010 a try. I logged in as Administrator to allow the installation and after 24 hours of downloading the installer, I encountered an interesting issue.


Zone Alarm displayed a security alert ( Zone Alarm is a free Windows Firewall with some interesting add-on features. It is a must have for Windows users in my opinion)

I got worried on seeing this warning. I had my Huawei Photon (Chinese malware, anyone ?) connected to the Internet and my portable hard disk plugged in. Could one of them be the culprit ?

I downloaded and ran Process Explorer from SysInternals and after searching for "WINWORD.EXE", i got this -



I was using "Click to Run" to install Office 2010. With "Click to Run", Office 2010 applications run locally in a Virtual Application Environment on the Virtual Drive Q: that is specifically created on the system. You can read about it here.

So, when Microsoft Word was starting up from the Virtual Drive Q, Zone Alarm detected that it was trying to inject code into Explorer.exe

Now the question is why the code injection and what should I do ?

I downloaded the installer from Microsoft's site (This application is valid only for 60 days). So, is this normal activity from the latest Office Application ?
Access to Q drive is denied by XP, I could not verify if WINWORD.EXE is infected or not.
As of now, the Zone Alarm prompt is still open and I have not "allowed" or "denied" the code injection. (Suggestions are welcome)

The net outcome of this issue is that I have to go to work early to work on my document :(

No comments:

Post a Comment