New trojan exploits undocumented Excel flaw [UPDATED]

Entry updated to include link to MSRC report confirming the new vulnerability. Microsoft says nothing about names of Excel attachments yet. Additionally, they don’t mention related Trojans used in this case.
= = = =

MS06-027 fixed Ginwui-flaw in Word, but we have a new undocumented vulnerability in Microsoft Excel now. Trojan malware description disclosed the existence of this new vulnerability. Some basic information from Symantec write-up related to new Trojan:

1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.

2. Attempts to download a file from the following location:

[http://]210 . 6.90.153 : 7890/svcho[REMOVED]

When checking whois.domaintools.com/210.6.90.153

Hong Kong – City Telecom (h.k.) Ltd
person: CTINETS HOSTMASTER
address: 15/F, Trans Asia Centre,
address: 18 Kin Hong Street,
address: Kwai Chung, N.T.,
address: Hong Kong

it’s possible that company listed has no connections to this case at all.

Sender information of e-mail message is spoofed. Name okN.xls was used in attachment. Yes, this is spreading with Excel document, says the dropper component description. It has name Trojan.Mdropper.J. Variants H and I from this family are known to Word 0-day case.

Name Downloader.Booli.A is not included to Google’s index yet. McAfee has name Downloader-AWV, in turn.

UPDATE 16th Jun: MSRC Blog confirms report from Microsoft customer, new vulnerability was used in attack.
UPDATE #2: Secunia reports that code execution is possible. FrSIRT lists this as Command Execution Vulnerability.
UPDATE 17th Jun: Microsoft informs more details about upcoming security advisory.
UPDATE 19th Jun: See Excel 0-day FAQ and Microsoft Security Advisory too.

Share