Exploit:Win32/CVE-2009-3129 is the detection for an exploit targeting a Microsoft Excel vulnerability. This vulnerability allows the execution of arbitrary code with the privileges of the currently logged-on user.
The vulnerability is triggered when the user opens an affected spreadsheet that contains a malformed FEATHDR record, which allows the attacker to control the execution flow.
Exploit:Win32/CVE-2009-3129 then drops a clean copy of the Excel document in the %temp% folder, and opens it in the Excel application.
Note: %temp% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the Temp folder for Windows 2000 and NT is C:\DOCUME~1\<user>\LOCALS~1\Temp; and for XP, Vista, and 7 is C:\Users\<user name>\AppData\Local\Temp.
Analysis by Rodel Finones
The following system changes may indicate the presence of this malware: