XLS files specially designed to exploit a currently unpatched vulnerability in Microsoft Excel (identified as CVE-2008-0081) are reportedly being sent as email attachments in the wild.
The attachments, which arrive either as OLYMPIC.XLS or SCHEDULE.XLS are capable of dropping and executing Windows binary executables. This Trojan also drops a non-malicious Excel file and opens it upon execution to trick the user that it is the attached Excel file. Below are screenshots of the dropped Excel files of OLYMPIC.XLS and SCHEDULE.XLS respectively.
Both OLYMPIC.XLS and SCHEDULE.XLS are observed to use similar exploit templates and even allow malware writers to customize the exploit to perform other routines.
With the release of a security patch from Microsoft still a week away, malware authors are using this window of opportunity to infect a large number of computers. More information on this exploit can be found on this Microsoft Security Advisory.
Trend Micro advises users to be wary of opening unsolicited email messages, much more of files attached to them. Trend Micro already detects the above files as TROJ_MDROP.AH as of Control Pattern 5.136.12.