Information on MX97:CVE-2008-0081

Would somebody tell me something about the MX97:CVE-2008-0081 trojan/exploit ? We may have it hiding somewhere on my company’s file server. When a particular user here logs into another employee’s workstation, Avast complains about three occurrences of this trojan, apparently as his files are synchronizing to the local computer, as part of Windows’ “Offline Files” feature. Obviously, he’s banned from doing this again until the problem is sorted out.

I’m just beginning to investigate. MX97:CVE-2008-0081 initially uses an Excel security hole, and the files Avast has in its Virus Chest are definitely Excel files. The problem is that these files don’t match the size of anything on the server, and both bulk scans and manual scans of the files yield absolutely nothing. The server is using an up-to-date copy of Avast 4.8 Server Edition.

I’m trying to understand more about how this trojan hides and how it propagates. Maybe the answer is really simple, but so far I’m puzzled.

Thanks for any ideas,
Todd

I’ve run Avast boot scans on both infected (?) computers, but it didn’t find anything.

I’ll likely run a server scan overnight tonight.

Hi thetao,

Consider the info here: http://forum.avast.com/index.php?action=printpage;topic=32221.0

polonus

Thanks for the link. I realized it could be a false positive, but virscan.org had been acting flaky until this morning. Again, the files are (well, they WERE) in a user’s remote “My Documents” directory on our Windows 2003 server, and being copied to workstations around the office as part of the “Offline Files” synchronization feature. What’s weird is that NONE of the virus checkers at virscan.org identify the original file as infected, and only two identify the chest file as infected (Avast and GData). The file on the server is 116K, but the file I extract from the Avast Virus Chest is 86K…so something must be going on. Anybody else want to comment?

I will continue examining the files, and I also just submitted them to Avast for examination.

Thanks,
Todd