Spam campaign: exploited Excel files

Excel icon
We’ve been seeing an aggressive spam campaign (which we block) carrying malicious Excel (.xls) files, detected as Troj/DocDrop-Q, exploiting the vulnerability classified as CVE-2009-3129.

The Excel file attempts to decrypt, drop and run another executable file, which copies itself to <System>\googletoolbar32.exe and creates a registry entry called “Google Search Engine” to run itself automatically on reboot. We detect this exe as Mal/Koobface-G, and it’s very similar to other executables we’ve seen in spam recently.

Spam is likely to contain the word “treasury” in the sender’s address (which is faked).  Examples include:

  • “US Department of Treasury” <>
  • Elizabeth Boucher <>
  • Chang Avery <>

Many of the spam messages contain references to OFAC, eg:

“Please view the attached report of the declined deposit by OFAC,
the file is a Microsoft Excell Spreadsheet.”

This vulnerability affects recent versions of Microsoft Excel, and Excel Viewer, so be sure if you have Excel that it is fully updated with patches.  Microsoft describes this vulnerability as part of MS09-067, and provides patches here: