Content

HTool-Exp-MS08-014

Type
Program
SubType
Tool
Discovery Date
03/25/2008
Length
Minimum DAT
5259 (03/25/2008)
Updated DAT
5418 (10/29/2008)
Minimum Engine
5.1.00
Description Added
03/25/2008
Description Modified
03/31/2008 12:07 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

This detection is for a tool, which can be used to create specially crafted Microsoft Excel files that use the MS08-014 Excel exploit.

Using this tool, one can create an Excel file embedded with a payload executable. The Excel file on being launched, drops and runs the embedded EXE on a  vulnerable machine.

This command line tool requires a sample Excel file and a payload executable to be run on launching the Excel file.

                                   

Using the tool, the desired (malicious) executable is encrypted (using ROR 3) and embedded into the Excel file.

Upon executing the newly created excel file on a vulnerable system, the embedded file will be dropped into the %temp% folder and then executed.

The specially crafted Microsoft Excel files created by using this tool are detected as Exploit-MSExcel.p

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Aliases

  • Constructor:Win32/Exrec.A (Microsoft)
  • Exploit.Win32.Agent.bo (F-Secure)
  • Exploit.Win32.Agent.bo (Kaspersky)

Characteristics

Characteristics -

This detection is for a tool, which can be used to create specially crafted Microsoft Excel files that use the MS08-014 Excel exploit.

Using this tool, one can create an Excel file embedded with a payload executable. The Excel file on being launched, drops and runs the embedded EXE on a  vulnerable machine.

This command line tool requires a sample Excel file and a payload executable to be run on launching the Excel file.

                                   

Using the tool, the desired (malicious) executable is encrypted (using ROR 3) and embedded into the Excel file.

Upon executing the newly created excel file on a vulnerable system, the embedded file will be dropped into the %temp% folder and then executed.

The specially crafted Microsoft Excel files created by using this tool are detected as Exploit-MSExcel.p

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A