Last week, Microsoft announced that it had received a single report for a new 0-day vulnerability involving Excel. A malicious spreadsheet was attached to an e-mail and sent to a targeted victim. Various information is available from Microsoft and an interesting FAQ is also available on the Securiteam blog:
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://www.microsoft.com/technet/security/advisory/921365.mspx
http://blogs.securiteam.com/?p=451

Today, this threat has been deemed Low-Profiled due to media attention. FrSIRT has also posted an announcement at http://www.frsirt.com/english/advisories/2006/2361.

According to various reports, the original file is named okN.xls. Supposedly when a user opens the file the software unexpectly closes and some binary files are dropped in the Windows System directory as well as the system root directory.

I have studied a sample. It had a 127,488 byte size. On my French system, the file had a long name with semi-graphical ASCII characters possibly of Asian origin. After I renamed the file and opened it on an English Microsoft Excel 2000 version running on a Windows 2000 environment, the expected exploit did not occur. The filename visible on the left and high corner of the window indicated to me that the file was partially loaded, but no spreadsheet was visible. When I attempted to close Excel, I received an application error message saying some memory address could not be read. I made another test on a Windows XP-PRO (French) environment and with Excel 2002. This time an error message appeared and the file could not be loaded.

My colleagues also tested the file in a Japanese environment with the same disappointing results. We suspect that the exploit is more specifically crafted for Excel 2003 running on a specific OS version. It perhaps uses hardcoded return EIP offsets.

Despite these problems, the XLS file and its embedded downloader are detected as downloader-AWV.dr and downloader-AWV.