In PandaLabs, we have been analyzing this new “zero day" and have tested different xls files which are in-the-wild. These files contain the exploit named as Exploit:Win32/Evenex.gen by Microsoft.Panda Security Mediacenter - All the info about your cybersecurity.
The tests have been done with the Office 2007 Service Pack 1 on Windows XP Service Pack 2. The main aim of our analysis was to test the TruPrevent Technologies included in our products against this new 0 day. These Technologies are not signature-based and are able to detect the malicious behaviour of malware, in order to be proactive against unknown vulnerabilities.
We can conclude from the tests we have done that a system without an antivirus installed gets compromised, as we expected. The exploit creates a file in the temporary file of the user that has run the xls file and the computer is compromised.Panda Security Mediacenter - All the info about your cybersecurity.
1. When the Excel file is run, the following file is created:
C:\Documents and Settings\<username>\Local Settings\temp\AdobeUpdater.exe
2. The file AdobeUpdate.exe creates the file:
C:\Documents and Settings\<username>\Local Settings\temp\AcroRD32.exe
3. AcroRD32.exe connects to the Internet.
4. The file AdobeUpdater.exe is deleted.
5. The system is compromised.