McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 20, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.frsirt.com/english/advisories/2006/2361

--

Downloader-AWV.dr is a trojan that is delivered via a specially crafted Excel document. This specially crafted Excel document uses a zero-day exploit in Microsoft Excel to drop and execute a Win32 executable embedded inside the document.

Aliases

• Exploit.ControlExcel.A (BitDefender)

• TROJ_EMBED.AN (Trend Micro)

• Trojan-Dropper.MSExcel.CVE-2006-3059.a (Kaspersky)

• Trojan.Mdropper.J (Symantec)

• Win32/Exploit.MSExcel.Downloader (ESET)

• X97M/SillyDL.AQS!Trojan (CA)

Characteristics

Upon launching the document, it crashes Microsoft Excel and executes an embedded executable contained with it.

• %Windir%\%SYSDIR%\svc.exe

The embedded file is a downloader which connects to a remote ip address to download more malware. The downloader component is detected as Downloader-AWV 

Symptoms

The downloader component runs "iexplore.exe" and injects a thread into this process.
It attempts to contact a remote ip address to download a file "svchost.exe"

• Remote ip : 210.6.90.xxx
• Port : 7890

Method of Infection

Downloader-AWV.dr was mass spammed and uses a zero day vulnerability in Microsoft Excel to execute an embedded executable contained within it when the document is opened.

More information on this zero day vulnerability can be viewed at:

http://www.frsirt.com/english/advisories/2006/2361

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 20, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.frsirt.com/english/advisories/2006/2361

--

Downloader-AWV.dr is a trojan that is delivered via a specially crafted Excel document. This specially crafted Excel document uses a zero-day exploit in Microsoft Excel to drop and execute a Win32 executable embedded inside the document.

Aliases

• Exploit.ControlExcel.A (BitDefender)

• TROJ_EMBED.AN (Trend Micro)

• Trojan-Dropper.MSExcel.CVE-2006-3059.a (Kaspersky)

• Trojan.Mdropper.J (Symantec)

• Win32/Exploit.MSExcel.Downloader (ESET)

• X97M/SillyDL.AQS!Trojan (CA)

Characteristics

Characteristics -

Upon launching the document, it crashes Microsoft Excel and executes an embedded executable contained with it.

• %Windir%\%SYSDIR%\svc.exe

The embedded file is a downloader which connects to a remote ip address to download more malware. The downloader component is detected as Downloader-AWV 

Symptoms

Symptoms -

The downloader component runs "iexplore.exe" and injects a thread into this process.
It attempts to contact a remote ip address to download a file "svchost.exe"

• Remote ip : 210.6.90.xxx
• Port : 7890

Method of Infection

Method of Infection -

Downloader-AWV.dr was mass spammed and uses a zero day vulnerability in Microsoft Excel to execute an embedded executable contained within it when the document is opened.

More information on this zero day vulnerability can be viewed at:

http://www.frsirt.com/english/advisories/2006/2361

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A