Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Active exploitation of Excel vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active exploitation of Excel vulnerability

The US-CERT has published a warning on active exploitation of a vulnerability in Microsoft Excel, described in Microsoft Security Advisory 947563. We can confirm these attacks and have been tracking several exploits over the last few days.

It should be noted that the incidents we are aware of have been limited to a very specific targeted attack and were not widespread. In total, we established approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far.

Below are the md5sum’s for the individual exploits:


Throughout the incident, we worked together with various anti virus vendors to ensure coverage. Below are some of the signatures we know of that catch iterations of these attacks. Note that some are relatively generic and catch multiple other exploits as well:

Trend Micro: TROJ_MDROP.AH
AntiVir: TR/Drop.MSExcel.Agent
BitDefender: Exploit.MSExcel.Dropper
Fortinet: MSExcel/MalExcel.B!exploit
F-Secure: Trojan-Dropper.MSExcel.Agent
Ikarus: Trojan-Dropper.MSExcel.Agent
Kaspersky: Trojan-Dropper.MSExcel.Agent
McAfee: Exploit-MSExcel.p
Microsoft: Exploit:Win32/Exrec.A
NOD32: X97M/TrojanDropper.Agent.L
Symantec: Trojan.Mdropper
WebWasher: Trojan.Drop.MSExcel.Agent

We are aware that some of the samples connect back to ( on port 80, to retrieve the IP address of the actual control server.

Update: Microsoft released patch MS08-014 on March 11th, that fixes the vulnerability. It was first acknowledged by Microsoft on January 15th.

Maarten Van Horenbeeck


158 Posts
Mar 12th 2008

Sign Up for Free or Log In to start participating in the conversation!