Spam campaign: exploited Excel files
We’ve been seeing an aggressive spam campaign (which we block) carrying malicious Excel (.xls) files, detected as Troj/DocDrop-Q, exploiting the vulnerability classified as CVE-2009-3129.
The Excel file attempts to decrypt, drop and run another executable file, which copies itself to <System>\googletoolbar32.exe and creates a registry entry called “Google Search Engine” to run itself automatically on reboot. We detect this exe as Mal/Koobface-G, and it’s very similar to other executables we’ve seen in spam recently.
Spam is likely to contain the word “treasury” in the sender’s address (which is faked). Examples include:
* “US Department of Treasury” <firstname.lastname@example.org>
* Elizabeth Boucher <email@example.com>
* Chang Avery <firstname.lastname@example.org>
Continues at SophosLabs Blog