Now Symantec can to detect this attack.
Trojan.Mdropper.J is a Trojan horse that drops Downloader.Booli.A on the compromised computer. It exploits an undocumented vulnerability in Microsoft Excel.
The Symantec website also reports … Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name: %System%\svc.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
When Downloader.Booli.A is executed, it performs the following actions:
- Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
- Attempts to download a file from the following location: [http://]18.104.22.168:7890/svcho[REMOVED]
- Saves the file as the following and if the download was successful, executes the file: c:\temp.exe
- Creates an empty file before exiting: c:\bool.ini
Now we recommend use the same defenses as for lastest Microsoft Word vulnerability: How to block Microsoft Word vulnerability, recommended defenses.