Rigged Excel Files Packing Malware Punch

By Ryan Naraine  |  Posted 2008-03-11 Print this article Print

Computer security experts warn that booby-trapped Excel documents are circulating with malicious executables.

On the eve of Microsoft's plans to fix a 2-month-old vulnerability affecting Microsoft Excel, security experts warn that booby-trapped Excel documents are circulating with malicious executables.

According to an alert issued by the United States Computer Emergency Readiness Team, a malicious Trojan has been rigged into .xls files that are being distributed via e-mail.

"Known file names for these attachments are OLYMPIC.XLS and SCHEDULE.XLS. These files may also contain Windows binary executables that can compromise an affected system," according to the US-CERT warning.

Researchers at the SANS ISC (Internet Storm Center), a group that tracks malicious Internet activity, have confirmed the latest attacks, which are exploiting a known-and unpatched-vulnerability in Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000 and Microsoft Excel 2004 for Mac.

Who are the 15 most influential people in security? Find out here.

"We can confirm these attacks and have been tracking several exploits over the last few days," said ISC incident handler Maarten Van Horenbeeck.

Van Horenbeeck said the exploits have been limited to a very specific targeted attack and are not widespread.

"In total, we established approximately 21 reports of attacks using only eight different files, from within the same two communities, so far," Van Horenbeeck said.

An examination of a sample Trojan shows that it opens a backdoor on a compromised Windows computer and connects back to update-microsoft.kmip.net ( on port 80 to retrieve the IP address of the actual control server.

Microsoft confirmed the vulnerability Jan. 15 and issued a pre-patch advisory with workarounds for Excel users.

In the absence of a fix, US-CERT recommends the following:

  • Do not open unsolicited or untrusted e-mail messages.
  • Use caution when opening e-mail attachments.
  • Block executable files and unknown file types at the e-mail gateway.
  • Install anti-virus software, and keep its virus signature files up-to-date.
  • Review the US-CERT Cyber Security Tip - Using Caution with Email Attachments.
Microsoft plans to ship four "critical" bulletins March 11 with patches for multiple vulnerabilities in its flagship Office desktop productivity suite. 

According to the software vendor's advance notice mechanism, three of the high-priority bulletins will cover holes in Microsoft Office while the fourth will deal with issues in Microsoft Office Web components.

Affected software includes Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, Microsoft Excel, Microsoft Office Outlook and Microsoft Office for Mac.

It is likely that this batch of patches will finally provide cover for the Excel flaw that's being exploited with this latest round of exploits.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel