Excel Zero Day Exploit Reported...Have a (Win32)Bagle with it too

Excel Zero Day Exploit Reported…Have a (Win32)Bagle with it too

It’s been a busy day in anti-virus land. There is a reported zero-day vulnerability in Microsoft Excel. Currently the exploit of the vulnerability comes in email as an attached Excel spreadsheet. When a user opens the spreadsheet the vulnerability is exploited and malicious software is downloaded. So far the malicious downloads have been proactively detected

It’s been a busy day in anti-virus land. There is a reported zero-day vulnerability in Microsoft Excel. Currently the exploit of the vulnerability comes in email as an attached Excel spreadsheet. When a user opens the spreadsheet the vulnerability is exploited and malicious software is downloaded. So far the malicious downloads have been proactively detected

It’s been a busy day in anti-virus land. There is a reported zero-day vulnerability in Microsoft Excel. Currently the exploit of the vulnerability comes in email as an attached Excel spreadsheet. When a user opens the spreadsheet the vulnerability is exploited and malicious software is downloaded.

So far the malicious downloads have been proactively detected by the signatures and/or advanced heuristic capabilities of NOD32, so if you use NOD32 you are protected. Just for added security, and not to tempt fate, we recommend that you never open unsolicited attachments from anyone. If your best friend, your mom, or anyone you know sends you an attachment in email it is always good to verify that they meant to send it to you -BEFORE- you open it.

We have also been seeing a lot of Win32/Bagle activity. Take a look at www.virusradar.com. You will see that at the time of this writing the number one threat is Win32/Bagle.gk, and number two is “a variant of Win32/Bagle worm”. Why does one have a name and the other is just a variant? That’s heuristics at work for you. We have had a sample of the GK variant long enough to develop signatures for it and give it a name. The one titled “a variant of Win32/Bagle worm” is brand new. We didn’t have a signature for the specific worm, but the heuristics were smart enough to know that it was bad and that it was very similar to the other Bagle worms. You may not have a signature for the exact Win32/Bagle, but NOD32 is protecting you anyway. That is the point of heuristics. It is far better to block malicious software now and name it later than to wait until you have a name and clean it up later.

Currently in the number 5 position is “probably unknown NewHeur_PE virus”. This one isn’t like any Win32/Bagle we’ve seen before, but we know it is nothing you want running on your PC. We’ll take a look at it later and give it a name, but for now we’ll just make sure it does not cause you any harm.

Have a happy, safe computing weekend!

Randy Abrams
Director of Technical Education

Discussion