Excel Zero Day Exploit Reported…Have a (Win32)Bagle with it too

It’s been a busy day in anti-virus land. There is a reported zero-day vulnerability in Microsoft Excel. Currently the exploit of the vulnerability comes in email as an attached Excel spreadsheet. When a user opens the spreadsheet the vulnerability is exploited and malicious software is downloaded.

So far the malicious downloads have been proactively detected by the signatures and/or advanced heuristic capabilities of NOD32, so if you use NOD32 you are protected. Just for added security, and not to tempt fate, we recommend that you never open unsolicited attachments from anyone. If your best friend, your mom, or anyone you know sends you an attachment in email it is always good to verify that they meant to send it to you -BEFORE- you open it.

We have also been seeing a lot of Win32/Bagle activity. Take a look at www.virusradar.com. You will see that at the time of this writing the number one threat is Win32/Bagle.gk, and number two is “a variant of Win32/Bagle worm”. Why does one have a name and the other is just a variant? That’s heuristics at work for you. We have had a sample of the GK variant long enough to develop signatures for it and give it a name. The one titled “a variant of Win32/Bagle worm” is brand new. We didn’t have a signature for the specific worm, but the heuristics were smart enough to know that it was bad and that it was very similar to the other Bagle worms. You may not have a signature for the exact Win32/Bagle, but NOD32 is protecting you anyway. That is the point of heuristics. It is far better to block malicious software now and name it later than to wait until you have a name and clean it up later.

Currently in the number 5 position is “probably unknown NewHeur_PE virus”. This one isn’t like any Win32/Bagle we’ve seen before, but we know it is nothing you want running on your PC. We’ll take a look at it later and give it a name, but for now we’ll just make sure it does not cause you any harm.

Have a happy, safe computing weekend!

Randy Abrams
Director of Technical Education

Author , ESET

  • PSchuetz

    Hey there,

    please make the new/better Advanced Heuristic detection system in the upcoming NOD32v3 more informative/better describing..

    You know, “Probably unknown New Heur_PE virus” isn’t that specific at all, it’s very common/general..! -.-

    Please have a look at e.g. the Norman SandBox 2005 technologie (http://sandbox.norman.no/ ).

    As you can see here: http://www.norman.com/Virus/Sandbox/22460/, they have more detailed/specific names/categories for probably new maleware detected by the heuristic/sandbox of Norman products:


    Their SandBox Analyzer and Reporter (details of their products here: http://www.norman.com/Product/Sandbox-products/ and here (with example report output..): http://www.norman.com/Product/Sandbox-products/Analyzer/ ) give you great details of the probably new thread, so you know, what the detected “probably new maleware” does on/in your Windows system!
    Here is another example of such an report (on the bottom):

    So you can see what I mean and how you can improve the/your Advanced Heuristic/ThreadSense Technologie! :D (Maybe additionally to Code Analysis, Emulation and Generic Signatures (which are already in ThreadSense included..), an “Sandbox with an Analyser” here: http://www.eset.com/products/threatsense.php)

    I hope you get it right and know that “New Heur_PE Virus” is bad description, better is “New Heur_XXXX Maleware” or such..
    (Replace XXXX with W32/Malware, W32/EMailWorm, W32/NetworkWorm, W32/BackDoor, W32/P2PWorm, W32/FileInfector, W32/Dialler, W32/Downloader, W32/Spyware, etc…) ;-)

    And don’t get it wrong, I use NOD32 and I like your really useful and great AdvancedHeuristic system and don’t want to attrac/advertise other products like the Norman Sandbox solutions..! Only an good example and a good competition in the Sandbox/Heuristic analysis area..

    Another one is the upcoming F-Prot v4 aka 6, which owns a new great heuristic, even in beta..!
    This heuristic give you similiar hints/analyses/details as mentioned here (like the Norman SandBox..).
    So the user get more infos and details from the heuristic analyses in F-Prot v4.
    (So I hope we get more detailed infos in upcoming NOD32 v3 soon, too..^^)

    Thx in advance!

    best regards,


Follow us

Copyright © 2017 ESET, All Rights Reserved.