Microsoft recently released a security advisory (932553) warning of new “zero-day” attacks using a vulnerability in Microsoft Office 2000, XP, 2003 and 2004 for Mac. The advisory reports that in order for the attack to be successful a user must open a maliciously crafted document.
Excel is currently the preferred document type for the recent attacks however Microsoft says other office applications are potentially vulnerable to similar forms of attack.
McAfee describes actions taken by the exploit:
Unpack the XOR-encrypted shellcode in memory
Load KERNEL32.DLL using a hardcoded address specific to Windows XP Service Pack 2. On other versions of Windows, Excel will simply crash.
Create a new fiile in %Temp% op10.exe using API calls – GetTempPathA, and CreateFileA
Seeks the opened file handle of the XLS file in memory using API call GetFileSize to match a specific filesize.
Extract the payload from the XLS file and write it into %Temp% op10.exe
Execute %Temp% op10.exe
The payload is a variant of Backdoor-CWA; a Trojan which will give it’s master remote access and control of the infected machine.
Microsoft’s advice? Make sure your antivirus definitions are current and be suspicious of all unexpected office attachments.