The MSRC released an advisory about 0-day exploits in Excel and they also have blogged about it. These exploits currently are being used for targeted and limited attacks. We released definition 1.51.1105.0 today to help protect customers against these attacks and the detection name is Exploit:Win32/Evenex.gen. Forefront Client Security, Windows Live OneCare and Windows Live OneCare safety scanner use this definition which detects such malicious Excel files.

The attack triggers a buffer overrun which happens when Excel parses maliciously crafted spreadsheet files. Once the exploit is successful, the attackers are able to run their code, usually used to drop malware on the victim’s computer.

Several of the files have been shared in the industry. Here are SHA1 hashes for a few of them:


Thanks go to our analysts Matt McCormack, Cristian Craioveanu and Hong Jia for developing this generic definition.

Ziv Mador
Microsoft Malware Protection Center