Spam campaign: exploited Excel files

Filed Under: Malware, SophosLabs, Spam, Vulnerability

Excel icon
We've been seeing an aggressive spam campaign (which we block) carrying malicious Excel (.xls) files, detected as Troj/DocDrop-Q, exploiting the vulnerability classified as CVE-2009-3129.

The Excel file attempts to decrypt, drop and run another executable file, which copies itself to <System>\googletoolbar32.exe and creates a registry entry called "Google Search Engine" to run itself automatically on reboot. We detect this exe as Mal/Koobface-G, and it's very similar to other executables we've seen in spam recently.

Spam is likely to contain the word "treasury" in the sender's address (which is faked).  Examples include:

  • "US Department of Treasury" <noreply@usdot.com>
  • Elizabeth Boucher <elizabeth.boucher_ce@treasury.govt.nz>
  • Chang Avery <c.averysh@treasurytoday.com>

Many of the spam messages contain references to OFAC, eg:

"Please view the attached report of the declined deposit by OFAC,
the file is a Microsoft Excell Spreadsheet."

This vulnerability affects recent versions of Microsoft Excel, and Excel Viewer, so be sure if you have Excel that it is fully updated with patches.  Microsoft describes this vulnerability as part of MS09-067, and provides patches here: http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx

, , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s