First Microsoft Excel 0-day Vulnerability FAQ [UPDATED]

This is Frequently Asked Questions document about new zero-day vulnerability in Microsoft Excel and Microsoft Excel Viewer.

-UPDATE- This vulnerability has been fixed on 11th July with MS06-037 monthly update.

Q: What is Microsoft Excel 0-day vulnerability?
A: This previously unknown vulnerability is caused by an unknown error when processing malformed Excel documents. The detailed characteristics or component being exploited is not publicly known. Vulnerability was disclosed via malware descriptions informing new Trojan exploiting undocumented vulnerability in Excel. This flaw has been used in attacks against unknown organization. Microsoft tells about one report of their customer.

Q: How does the vulnerability work?
A: The vulnerability is code execution type vulnerability. Microsoft reports that improper memory validation in Excel causes this vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.
Microsoft reports that on Excel 2003 vulnerability is exploited when Excel enters Repair Mode.

Q: When this vulnerability was found?
A: The first malware description was published on Wednesday 14th June. Microsoft confirmed the existence of vulnerability on 16th June by the following document: blogs.technet.com/msrc/archive/2006/06/16/436174.aspx.
Update: There is information about samples received by one AV vendor on Monday 12th June already.

Q: Is this same critical vulnerability than reported by several vendors on 6th July?
A: No. Both of these vulnerabilites are using Repair Mode feature, however. There is no malicious shellcode execution embedded to the PoC file ‘Nanika.xls’ posted to Bugtraq on 3rd July. This posting is the reason of new advisories. User acitivy is needed to exploit this new vulnerability related to Style information handling. This vulnerability mentioned is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431. Update: There is no patch for this vulnerability included in July monthly security updates.

Q: What Windows versions are affected?
A: Microsoft Excel installations used is Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows 2003 Server systems are reportedly affected.

Q: What Excel versions are affected?
A: Excel versions 2003, 2002 and 2000 are affected. Some vendors list version 97 as affected too.

Q: Is Excel Viewer utility affected too?
A: Microsoft lists Excel Viewer 2003 as affected. US-CERT lists Excel Viewer 97 as affected too.

Q: Is Microsoft Works Suite affected too?
A: According to new Security Bulletin MS06-037 Works Suite is not vulnerable.

Q: Is Microsoft Excel for Mac affected in this vulnerability?
A: Microsoft lists Excel 2004 for Mac and Excel v. X for Mac as affected.

Q: Where are the official Microsoft documents related to this case located?
A: Documents published by Microsoft are located at Microsoft Security Response Center (MSRC) Blog site. The address of this site is blogs.technet.com/msrc/default.aspx. The upcoming security advisory will be published at Microsoft Security Advisories section of Microsoft TechNet Security site. The address of advisory section is www.microsoft.com/technet/security/advisory/default.mspx. NOTE: Advisory has been published.

Q: How can I protect from this vulnerability?
A: The best advice is to use anti-virus software and check that virus signature files are up-to-date. Update: Security Bulletin MS06-037 includes a fix now.

Q: Is the exploit code of this vulnerability publicly released?
A: Yes. It was posted to public, unmoderated security mailing list on 22th June.

Q: Is there PoC-type sample file of this vulnerability publicly available?
A: Yes. It was posted to public, moderated security mailing list on 3rd July. File name Nanika.xls was used.

Q: Is it safe to open any XLS files any more?
A: It is very important not to open Excel files from unknown sources. However, files from familiar sources can cause an infection too because of spoofed e-mail used. See related item later.

Q: Are there any visual effects informing about the infection?
A: Yes. Microsoft Excel will unexpectedly close after the infection.
Update: According to new information Application Error “Memory could not not be ‘read’” or Dr. Watson can occur.

Q: Are there any changes to file system made by related Trojan malware?
A: Yes. File svc.exe is being copied to Windows System directory when the malicious file is opened. Additionally, file temp.exe was copied to system root, i.e. C:\ in most cases. 0-byte file bool.ini was copied to C:\ as well. It is worth of mentioning that .ini files are not normally visible to ordinary users without administrator rights. Reportedly bool.ini is a harmless file. This FAQ item will be updated if it comes information about new Trojan variants.

Q: Are there any special features included to the way how this new Trojan works?
A: Yes. It can inject itself to Internet Explorer process to avoid firewall protection.

Q: What are the names of malwares exploiting this vulnerability?
A: Reportedly there is one trojan and one dropper component for this malware. The following names are used:

Downloader.Booli.A [Trojan]
Trojan.Mdropper.J [dropper]

Downloader-AWV [name of the Trojan] etc.
Downloader-AWV.dr [name of the dropper] etc.

EXPLOIT-MSEXCEL.GEN

TROJ_SMALL.AWC
X97M_EMBED.AN -> renamed to TROJ_EMBED.AN 19th Jun

Troj/DwnLdr-DEL

Trojan-Downloader.Win32.Agent.alq
Trojan-Dropper.MSExcel.CVE-2006-3059.a

Downloader.JFN

Win32/SillyDl.AQS

Win32.SillyDl.AQS

Win32/SillyDL.7jh!Trojan

CVE-2006-3059 (yes, it is one of the names used)

The list is very coverage now.
According to the official reply from some AV vendors there is no protection available in all anti-virus products yet.
Several AV vendors have been published the dropper write-up only referring to generic type Trojan descriptions.

NOTE: Names assigned on 4th July and later:

Trojan.Hongmosa

TROJ_NANISTYL.A

These malware descriptions have been published afte the “Nanika.xls” PoC file release at Bugtraq mailing list.

Q: My AV vendor doesn’t list these names at their Web pages. How do I know my AV software protects me?
A: It’s possible that anti-virus software has protection to this threat, but malware database at their Web page doesn’t include specific write-up yet because of weekend. The best way is to check the situation from your AV vendor.

Q: Is there Internet Storm Center documents available about the issue?
A: Yes. Internet Storm Center (ISC) has released several Diary entries: here, here and here.

Q: Is there CME name to this related malware available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier to this malware.

Q: Does Windows Live Safety Center detect this malware?
A: Yes. Microsoft has reported that detection for this Trojan was added to Windows Live Safety Center (in Beta phase).

Q: What is the file attachment name used in attack mentioned?
A: Name okN.xls was used. The attackers can use other names in the future too, because the information about name used is publicly known. According to the newer information some other Asian are names was also used.

Q: Is there information about file size used?
A: Yes. The size of Excel file is reportedly 127,488 bytes.

Q: Is it safe to open Excel spreadsheets coming from trusted, known sender during next days?
A: The answer is yes and no. If your anti-virus software is updated it will protect you. If you want protection of one hundred percent you can save spreadsheets first and scan them with your AV software.
E-mail messages used in attack mentioned has been spoofed, however. So you can’t trust that the sender information included to message Excel file attached is truthful. If You are not sure, You can always call to the sender if e-mail including Excel attachments arrives unexpectedly.
Additionally, it is possible to include malicious Microsoft Excel files as embedded files to Microsoft Word files, or Microsoft Power Point files.

Q: Is it possible that malicious Excel files (.XLS file extension etc.) are located at Web pages too?
A: Yes. It is possible that attacker can locate malformed Excel files to Web pages too.

Q: Does the filtering Excel documents at network perimeter protect me?
A: No. Normally Windows will open files with file header information, i.e. filtering by extension is not the way you can trust. Microsoft lists all 21 Excel file types in its advisory.

Q: When the fix to this vulnerability is expected?
A: It is impossible to say. Microsoft has promised to release an official security advisory about this vulnerability in the near future. Normally Microsoft security advisory includes information about the fixing timeline of unpatched vulnerabilities. The next monthly security updates are scheduled to 11th July, 2006. Update: Fix is included to new MS06-037.

Q: Is there CVE name available to this vulnerability.
A: Yes, CVE name CVE-2006-3059 was assigned on 17th June. Link to CVE is cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059.
[CVE document works 19th Jun 10:00 UTC]

Q: Is there rootkit techniques included to malwares exploiting this vulnerability?
A: At time of writing there is no information about rootkit methods included.

Q: Is there information about the origin of related malware authors?
A: No. It is known that the target Web site used in attack mentioned is located in Hong Kong, China.

Q: What is the TCP/IP port used in related attack?
A: The TCP/IP port is 7890.

NOTE: Microsoft has released Security Advisory #921365 now.

(c) Juha-Matti Laurio,
Finland (UTC +3hrs)

Revision History:
1.0 17-06-2006 Initial release
1.1 18-06-2006 Added information about filtering Excel documents
1.2 18-06-2006 Added information about missing protection in some AV products
1.3 19-06-2006 Added MSIE process injection information, affected Windows versions. Some minor updates done.
1.4 19-06-2006 Added information to state that CVE name is working. UPDATE: Added new name TROJ_EMBED.AN assigned to X97M_EMBED.AN (Trend) and new Downloader.JFN (Panda)
1.5 19-06-2006 Added date first samples received by AV vendors and information about new Microsoft Security Advisory release
1.6 20-06-2006 Added new Downloader-AWV.dr (McAfee) and information about missing CME identifier, updated advisory with new information in released Microsoft advisory. Several minor updates and fixes done.
1.7 21-06-2006 Added information about Application Error/Dr. Watson during the infection and information about file size used.
1.8 22-06-2006 Added Microsoft information about Repair Mode on Excel 2003, added several new related malware variant names and updated credits. Added information about public PoC exploit code and word ‘First’ to the title to clarify the situation.
1.9 03-07-2006 Added information about PoC sample file posted to public mailing list.
2.0 05-07-2006 Added new malware name “Trojan.Hongmosa” related to PoC file posted to Bugtraq.
2.1 06-07-2006 Added name “TROJ_NANISTYL.A” related to PoC file posted to Bugtraq. Added new question related to new critical so-called Nanika vulnerability.
2.2 10-07-2006 Updated so-called Nanika vulnerability information.
2.3 11-07-2006 Added information about released MS06-037 patch.

Thanks to Internet Storm Center Handler Jason Lam for his comments to this document. Thanks to anonymous anti-virus companies for sending write-up links without asking them.

Share