Reports of Excel 0-Day

Published: 2006-06-16
Last Updated: 2006-06-16 17:16:11 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.


Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.

 Trojan.Mdropper.J is the detection for the malicious .xls which uses the 0-day exploit to drop Downloader.Booli.A.

The Symantec website also reports ..

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:

%System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

  1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
  2. Attempts to download a file from the following location:
    [http://]210.6.90.153:7890/svcho[REMOVED]
    Note: At the time of writing the remote file was not available.
  3. Saves the file as the following and if the download was successful, executes the file:
    c:\temp.exe
  4. Creates an empty file before exiting:
    c:\bool.ini

We'll pass on more information as we receive it.

-Chris

Keywords:
0 comment(s)

Comments


Diary Archives