A potentially serious nastie has been released which could affect Microsoft Excel users.
Over the weekend a potentially serious nastie has been released which could affect Microsoft Office users. This isn’t deja vu – it happened a few weeks ago but it’s now happened again – this time with Excel.
There’s NO fix for the security hole in Office which the virus exploits which makes it more serious than a usual ‘theoretical’ warning. In this special issue we’ll fill you in on the known details, explain why it’s not a serious problem at this stage and what you can do to protect yourself.
LOW RISK – FOR NOW
This exploit has been released to some computers, but not many. That could change but the anti-virus companies have been commendably quick in updating their wares to protect you. There is also the risk that other virus writers will take advantage of the same or similar exploits.
We’re not in the business of trying to scare people for the sake of a headline. At this stage this Excel exploit isn’t a big problem but it could be.
We’re publishing this special issue of Office Watch so all our readers will have some facts, not rumors or scare mongering when Monday rolls around.
The good news is that the current versions of the nastie do not seem to be spreading and the anti-virus companies have quickly updated their wares to detect the new threat.
The bad news is that that the underlying security flaw is not patched so there’s potential for the same or other virus writers to take advantage of the flaw. It seems the exploit was deliberately released after Microsoft’s monthly release of patches to give it the longest time of vulnerability.
This is a ‘developing story’ – we’ll tell you what we know and how to protect yourself with a follow-up in our regular issue of Office Watch later this week. As usual part of our coverage is to squash some of the false stories floating around.
ZERO DAY BUG – AGAIN
It’s being called a ‘Zero Day’ flaw which is geek-speak meaning there’s no patch for the security breach. Microsoft knows about the problem and, for once, was among the first to announce the existence of the threat but there’s no word about when a fix for the problem will be released to the public.
In the meantime you should rely on updated anti-virus software plus some standard caution about any incoming files to your computer.
We hope that Microsoft moves quickly to make the patch available. With last month’s Word exploit they were lucky more variants didn’t appear – paying Office customers deserve more than luck to be on their side.
WHAT’S HAPPENING?
A Excel document can be infected with a Trojan Horse called Trojan.Mdropper.J, this nastie takes advantage of the un-patched security hole in Excel.
The Trojan makes it possible to run a new program on your computer, in this case another ‘Trojan Horse’ given the name Booli.A.
Bookli.A doesn’t do anything bad itself – no files or settings are corrupted. Instead it tries to download a payload (ie other programs) from a web site and run those programs on your computer.
For Bookli.A the web site has been blocked at the source so even if your computer is infected there’s no immediate danger.
For more details check out the Symantec web site among many others.
THE INFECTED EMAIL AND DOCUMENT
The known emails that have an infected Excel attachment have the name:
okN.xls
However those are only the currently reported infections, the email subject and document name are easily changed. Filtering on the above file name is of little use, proper and updated anti-virus software is better.
WHO IS AFFECTED?
At this stage Microsoft is only talking about ‘Excel’ with no specific versions.
You should assume that all versions of Excel are vulnerable until advised otherwise.
WHAT TO DO?
While Microsoft has yet to patch the underlying security hole, the anti-virus companies have moved with their usual speed to add detection for the new nasties.
If you grab the latest updates for whatever anti-virus software you use then it should detect any incoming infected documents.
In this case ‘latest’ means an update released on 15 June 2006 or later.
To make sure, run your AV software update (Symantec’s LiveUpdate or similar) and check the date of the update after it has installed.
IS IT SPREADING?
The current infection doesn’t include any automatic method of distributing copies of itself. Many viruses these days ‘farm’ addresses from an infected computer to send copies of the infection to other computers. The current threat combination does NOT do that.
An unpatched and known exploit in Word is a strong lure for virus writers to take advantage before Microsoft patches the hole. So it’s possible we’ll see other infected documents that take advantage of the same security lapse.
