newsbot
09-06-2010, 05:40 PM
We found a new malicious XLS file which contains lots of names, details and contact information for journalists around the world:
http://www.f-secure.com/weblog/archives/journalists_targeted.png
This file was e-mailed to unknown persons, apparently in order to launch a targeted attack. The relevance of the journalists mentioned in the attack file is unknown.
When the file (md5 hash: 738B307F892BCCA4E40C8B9C78DA52E1) is opened, it exploits a vulnerability in Excel. The vulnerability executes a piece of embedded code that drops several new executables to hard drive and launches them, including:
\windows\system32\Setup\fxjssocm.exe
\windows\system32\spoolsv.exe
\windows\system32\Setup\setjupry.exe
\windows\system32\Setup\msxm32.dll
The executables contain a backdoor that gives the attacker full access to data on the target's computer.
We detect the malicious XLS and its dropped components as Exploit:W32/Xdropper.BR and Trojan-Dropper:W32/Agent.DJGD. On 12/05/10 At 08:11 AM
**Hidden Content: Check the thread to see hidden data.**
http://www.f-secure.com/weblog/archives/journalists_targeted.png
This file was e-mailed to unknown persons, apparently in order to launch a targeted attack. The relevance of the journalists mentioned in the attack file is unknown.
When the file (md5 hash: 738B307F892BCCA4E40C8B9C78DA52E1) is opened, it exploits a vulnerability in Excel. The vulnerability executes a piece of embedded code that drops several new executables to hard drive and launches them, including:
\windows\system32\Setup\fxjssocm.exe
\windows\system32\spoolsv.exe
\windows\system32\Setup\setjupry.exe
\windows\system32\Setup\msxm32.dll
The executables contain a backdoor that gives the attacker full access to data on the target's computer.
We detect the malicious XLS and its dropped components as Exploit:W32/Xdropper.BR and Trojan-Dropper:W32/Agent.DJGD. On 12/05/10 At 08:11 AM
**Hidden Content: Check the thread to see hidden data.**