Content

Exploit-MSExcel.h

Type
Trojan
SubType
Exploit
Discovery Date
02/01/2007
Length
Varies
Minimum DAT
4954 (02/01/2007)
Updated DAT
5274 (04/15/2008)
Minimum Engine
5.1.00
Description Added
02/01/2007
Description Modified
02/02/2007 1:52 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection covers a Microsoft Excel document that contains a malicious payload.  Testing shows that a fully patched Excel 2000, XP or 2003 is vulnerable to this exploit.  McAfee Avert Labs is working with Microsoft to confirm the history of this vulnerability.

Upon opening the known variants of this malformed XLS document, it can perform the following:

  • Unpack the XOR-encrypted shellcode in memory
  • Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.
  • Create a new fiile in %Temp%\top10.exe using API calls - GetTempPathA, and CreateFileA
  • Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.
  • Extract the payload from the XLS file and write it into %Temp%\top10.exe
  • Execute %Temp%\top10.exe

This executable is a new variant of the BackDoor-CWA trojan.

 

Symptoms

  • Presence of the file(s) mentioned.
  • Unexpected termination of a fully patched Microsoft Excel 2000, XP or 2003 upon opening the Excel file.

 

Method of Infection

This threat exploits a Microsoft Excel vulnerability that has not been patched.

 

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection covers a Microsoft Excel document that contains a malicious payload.  Testing shows that a fully patched Excel 2000, XP or 2003 is vulnerable to this exploit.  Microsoft has confirmed that this is a new vulnerability.

Characteristics

Characteristics -

This detection covers a Microsoft Excel document that contains a malicious payload.  Testing shows that a fully patched Excel 2000, XP or 2003 is vulnerable to this exploit.  McAfee Avert Labs is working with Microsoft to confirm the history of this vulnerability.

Upon opening the known variants of this malformed XLS document, it can perform the following:

  • Unpack the XOR-encrypted shellcode in memory
  • Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.
  • Create a new fiile in %Temp%\top10.exe using API calls - GetTempPathA, and CreateFileA
  • Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.
  • Extract the payload from the XLS file and write it into %Temp%\top10.exe
  • Execute %Temp%\top10.exe

This executable is a new variant of the BackDoor-CWA trojan.

 

Symptoms

Symptoms -

  • Presence of the file(s) mentioned.
  • Unexpected termination of a fully patched Microsoft Excel 2000, XP or 2003 upon opening the Excel file.

 

Method of Infection

Method of Infection -

This threat exploits a Microsoft Excel vulnerability that has not been patched.

 

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A