LTS Secure Warning: Get Rid Of W97M.Downloader And X97.Downloader

W97M.Downloader and X97M.Downloader are Microsoft Office files that contain a malicious macro. The only difference between them is that W97M detections are related to Word files and X97M detections are related to Excel files.

Technical Details

The malicious Office file, usually arrives on a machine as an attachment as part of spam or phish emails. The file can be a Word document (.doc file or .docx file) or an Excel workbook (.xls file or .xlsx file).

It is important to note that documents with macros will not execute automatically with the default Microsoft Office installation, which means that end users must manually enable the execution of macros for the malware to run. This is also valid for the new variant that hides the code in the text box object, because the content of this object must be read and executed by a small macro in the document. Ensure that this policy is enforced and users are informed and trained about not enabling macros for unknown documents.

Impact

The malware uses spam as the primary propagation vector, which comes with an attachment in the form of a Word document or an Excel workbook. The Word document or Excel workbook contains a Visual Basic Application macro that will download the malware directly to the user’s machine, or it might download a VB Script file or invoke a PowerShell script that will in turn download and execute malware.

The following are observed subjects that the spam campaign uses:

  • Transaction is completed # 53758807
  • Bank Payments
  • La factura 5461
  • INVYW419743E Duplicate Payment Received
  • INVOICE 224245 from Power EC Ltd
  • Thank you for your donation to The ALS Association
  • Investment project

Recommended Actions

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

For more details, click on the link.