For Home

Virus Profile: Exploit-MSExcel.u

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/12/2009
Date Added: 11/12/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 5800
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information

  • MD5  -  57B224EC81AA9662A68AEDB5B050BF9B
  • SHA  - 0F734696C65747F0AEAD1E3FF0F127100182723F

Aliases

  • Microsoft    - Exploit:Win32/CVE-2009-3129
  • Sophos        - Troj/DocDrop-S
  • Symantec     - Trojan.Mdropper
  • TrendMicro - TROJ_EXPL.ARF

Indication of Infection

  • Presence of above mentioned files and registry keys.
  • Presence unexpected network connection to the above mentioned IP Address.

Methods of Infection

This threat exploits Microsoft Excel vulnerability. It may be mass spammed as e-mail attachments and requires the user to open the Excel document and click on a hyperlink embedded in an Excel worksheet.
   

Virus Characteristics

This exploit could be executed by opening specially crafted malicious Excel files and clicking on a hyperlink embedded in a worksheet, and the end result could vary between memory corruption to the silent installation of any number of viruses, trojans, and potentially unwanted programs.

When executed, the Trojan drops and executes the following malicious file:

  • %Temp%\1sass.exe

This Trojan drops the following clean file in the Temp folder and opens it in the Excel application.

  • %Temp%\Æ-É¡ï¦è¦òöû+òd(H22.8.20).xls

The following registry key has been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2ED62908-E79E-B5E8-4F58-E8BDF994A5AC}

The following registry value has been added.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2ED62908-E79E-B5E8-4F58-E8BDF994A5AC}\]
    “StubPath” = “%Temp%\1sass.exe”

The above mentioned registry ensures that, the malware binary registers itself with the compromised system and execute itself upon every boot.

The malware binary connects to the site date.h[Removed]10.com through a remote port 1863.

[%Temp% is C:\Documents and Settings\Administrator\Local Settings\Temp\]

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).