During the last weeks, we have heard a great deal of talk about a new zero day vulnerability in Microsoft Office specifically in the Excel application. The vulnerability allows arbitrary code to be remotely executed in the affected system. It seems that the vulnerability is being used to install Trojans in Asian companies and government agencies.
In PandaLabs, we have been analyzing this new “zero day" and have tested different xls files which are in-the-wild. These files contain the exploit named as Exploit:Win32/Evenex.gen by Microsoft.
The tests have been done with the Office 2007 Service Pack 1 on Windows XP Service Pack 2. The main aim of our analysis was to test the TruPrevent
Technologies included in our products against this new 0 day. These Technologies are not signature-based and are able to detect the malicious behaviour of malware, in order to be proactive against unknown vulnerabilities.
We can conclude from the tests we have done that a system without an antivirus installed gets compromised, as we expected. The exploit creates a file in the temporary file of the user that has run the xls file and the computer is compromised.
1. When the Excel file is run, the following file is created:
C:Documents and Settings<username>Local SettingstempAdobeUpdater.exe
2. The file AdobeUpdate.exe creates the file:
C:Documents and Settings<username>Local SettingstempAcroRD32.exe
3. AcroRD32.exe connects to the Internet.
4. The file AdobeUpdater.exe is deleted.
5. The system is compromised.
However, after having done tests using Panda Global Protection 2009, the exploits we tested could not even create the first file (C:Documents and Settings<username>Local SettingsltempAdobeUpdater.exe). TruPrevent Technologies have blocked the exploit as it has detected a malicious behavior in the Excel application.
Although Microsoft has not published any patch to solve this severe vulnerability yet, our TruPrevent Technologies were already protecting our clients even before the exploit appeared. Thanks to the behavior analysis, our Antivirus is ready to face up to
this type of unknown vulnerabilities.
Thanks to David Sanchez Lavado for the information.