Follow:

You have been re-routed to the Exploit:Win32/CVE-2009-3129 write up because Exploit%25253aWin32%25252fCVE-2009-3129 has been renamed to Exploit:Win32/CVE-2009-3129
 

Exploit:Win32/CVE-2009-3129


Exploit:Win32/CVE-2009-3129 is the detection for an exploit targeting a Microsoft Excel vulnerability. This vulnerability allows the execution of arbitrary code with the privileges of the currently logged-on user.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Get the latest computer updates
This malware is known to exploit a vulnerability in Microsoft Excel. To prevent this threat from entering your computer again, ensure that all Microsoft security updates are installed.
 
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Threat behavior

Exploit:Win32/CVE-2009-3129 is the detection for an exploit targeting a Microsoft Excel vulnerability. This vulnerability allows the execution of arbitrary code with the privileges of the currently logged-on user.
 
The vulnerability is triggered when the user opens an affected spreadsheet that contains a malformed FEATHDR record, which allows the attacker to control the execution flow.
 
In the wild, we have observed the shellcode drop and execute the file wuauclt.exe (detected as Virtool:Win32/VBInject.gen!EE) to the %temp% folder.
 
Exploit:Win32/CVE-2009-3129 then drops a clean copy of the Excel document in the %temp% folder, and opens it in the Excel application.
 
Note: %temp% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp.
 
Analysis by Rodel Finones

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    wuauclt.exe

Prevention


Alert level: Severe
First detected by definition: 1.83.1976.0
Latest detected by definition: 1.201.1927.0 and higher
First detected on: Jun 16, 2010
This entry was first published on: Jun 16, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • MSExcel/Dropper.B!Camelot (Command)
  • Trojan-Dropper.MSExcel.Agent.bc (Kaspersky)
  • X97M/EXEDropper!exploit (CA)
  • Troj/DocDrop-Q (Sophos)
  • Bloodhound.Exploit.306 (Symantec)
  • TROJ_EXELDROP.A (Trend Micro)