The MSRC released an advisory about 0-day exploits in Excel and they also have blogged about it. These exploits currently are being used for targeted and limited attacks. We released definition 1.51.1105.0 today to help protect customers against these attacks and the detection name is Exploit:Win32/Evenex.gen. Forefront Client Security, Windows Live OneCare and Windows Live OneCare safety scanner use this definition which detects such malicious Excel files.

The attack triggers a buffer overrun which happens when Excel parses maliciously crafted spreadsheet files. Once the exploit is successful, the attackers are able to run their code, usually used to drop malware on the victim’s computer.

Several of the files have been shared in the industry. Here are SHA1 hashes for a few of them:

46181cf01e08b1760cecac95bbd486dd3b808988
6605bf6aee31f0cb2370d684aa32e5a588d4aaf4
675b12b1e50c9463576061cf5181a3f58dc30e59
7fe5481b1edc4df99488f5cc0f65f70fa35978d6
968ad6a8259ddf5f9705fef2ba2eaa3b63b1626f

Thanks go to our analysts Matt McCormack, Cristian Craioveanu and Hong Jia for developing this generic definition.

Ziv Mador
Microsoft Malware Protection Center