Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Reports of Excel 0-Day InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reports of Excel 0-Day

Published: 2006-06-16
Last Updated: 2006-06-16 17:16:11 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.

Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.

 Trojan.Mdropper.J is the detection for the malicious .xls which uses the 0-day exploit to drop Downloader.Booli.A.

The Symantec website also reports ..

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:


Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

  1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
  2. Attempts to download a file from the following location:
    Note: At the time of writing the remote file was not available.
  3. Saves the file as the following and if the download was successful, executes the file:
  4. Creates an empty file before exiting:

We'll pass on more information as we receive it.


0 comment(s)
Diary Archives