Tuesday, May 6, 2008

May 6, 2008 Poison Ivy EXE RSIS Commentary from RSISPubllcation@NTU.EDU.SG

Posted on March 6, 2010
Here is a blast from the past.  The message contains a zip file with a Poison Ivy executable - a fairly unsophisticated method of delivery, comparing to the methods we see these days. I found the fact that the message importance is set to low a bit unusual and amusing. Note the date of the attack - 2008.

Download the   105C80E404324938EAE633934EE44ED1 - RSIS.exe as a password protected archive (please contact me if you need the password)

Details 105C80E404324938EAE633934EE44ED1 - RSIS.exe






-----Original Message-----
From: RSISPubllcation [mailto:RSISPubllcation@NTU.EDU.SG]
Sent: Tuesday, May 06, 2008 9:10 PM
To: XXXXXXXXXXXXX
Subject: RSIS Commentary 54/2009 Ending the LTTE
Importance: Low

Dear All,
1. We are pleased to attach for your reading pleasure the following RSIS Commentary by Arabinda Acharya entitled Ending the LTTE: Recipe for counter-terrorism?
2. Synopsis:

Despite the very high cost in terms of lives lost and internal displacements, the military victory against the LTTE is a lesson in warfare for countries fighting insurgency and terrorism.


Regards,
RSISPublication,
for Yang Razali Kassim
Senior Fellow &
Editor RSIS Commentaries
 
http://www.virustotal.com/analisis/b71040cfa7545804d02afb8bb39639cf9c5dfd7439b29b6d3cf7a1ea8b9a5efc-1267933534
Virustotal results - 40/42 (not sure why eSafe and eTrust-Vet don't detect it :)
 a-squared    4.5.0.50    2010.03.06    Trojan.Win32.Agent!IK
AhnLab-V3    5.0.0.2    2010.03.06    Win-Trojan/Agent.45056.AJR
AntiVir    8.2.1.180    2010.03.05    TR/Agent.clsw
Antiy-AVL    2.0.3.7    2010.03.05    Trojan/Win32.Agent.gen
Authentium    5.2.0.5    2010.03.06    W32/Trojan2.HSKK
Avast    4.8.1351.0    2010.03.06    Win32:Trojan-gen
Avast5    5.0.332.0    2010.03.06    Win32:Trojan-gen
AVG    9.0.0.787    2010.03.06    Agent2.LBZ
BitDefender    7.2    2010.03.07    Trojan.Generic.2039983
CAT-QuickHeal    10.00    2010.03.06    Trojan.Agent.ckug
ClamAV    0.96.0.0-git    2010.03.06    Trojan.Agent-117052
Comodo    4091    2010.02.28    Heur.Suspicious
DrWeb    5.0.1.12222    2010.03.07    Trojan.Siggen.14707
F-Prot    4.5.1.85    2010.03.06    W32/Trojan2.HSKK
F-Secure    9.0.15370.0    2010.03.07    Trojan.Generic.2039983
Fortinet    4.0.14.0    2010.03.06    W32/Agent.CLSW!tr
GData    19    2010.03.07    Trojan.Generic.2039983
Ikarus    T3.1.1.80.0    2010.03.06    Trojan.Win32.Agent
Jiangmin    13.0.900    2010.03.06    Trojan/Agent.cmzc
K7AntiVirus    7.10.990    2010.03.04    Trojan.Win32.Agent.clsw
Kaspersky    7.0.0.125    2010.03.07    Trojan.Win32.Agent.clsw
McAfee    5912    2010.03.06    Generic BackDoor.m
McAfee+Artemis    5912    2010.03.06    Generic BackDoor.m
McAfee-GW-Edition    6.8.5    2010.03.07    Trojan.Agent.clsw
Microsoft    1.5502    2010.03.06    Backdoor:Win32/Poisonivy.E
NOD32    4921    2010.03.06    probably a variant of Win32/Agent
Norman    6.04.08    2010.03.06    W32/Agent.SKBD
nProtect    2009.1.8.0    2010.03.06    Trojan/W32.Agent.45056.MQ
Panda    10.0.2.2    2010.03.06    Trj/Downloader.MDW
PCTools    7.0.3.5    2010.03.04    Backdoor.Trojan
Prevx    3.0    2010.03.07    High Risk System Back Door
Rising    22.37.06.01    2010.03.07    Trojan.DL.Win32.Undef.eyn
Sophos    4.51.0    2010.03.06    Mal/Generic-A
Sunbelt    5776    2010.03.07    Trojan.Win32.Generic!BT
Symantec    20091.2.0.41    2010.03.07    Backdoor.Trojan
TheHacker    6.5.1.9.223    2010.03.07    Trojan/Agent.clsw
TrendMicro    9.120.0.1004    2010.03.07    BKDR_POISON.UG
VBA32    3.12.12.2    2010.03.05    Trojan.Win32.Agent.ckun
ViRobot    2010.3.5.2214    2010.03.05    Trojan.Win32.Agent.45056.GJ
VirusBuster    5.0.27.0    2010.03.06    Trojan.Agent.LZDM
Additional information
File size: 45056 bytes
MD5...: 105c80e404324938eae633934ee44ed1

Threatexpert Report
http://www.threatexpert.com/report.aspx?md5=105c80e404324938eae633934ee44ed1
    * The following Alternate Data Stream was created in the system:
#    ADS name(s)    ADS Size    ADS Hash    Alias
1     %Windir%\system32:msxmltwo.exe     45,056 bytes    

MD5: 0x105C80E404324938EAE633934EE44ED1
SHA-1: 0x8D599ED218C08603C1C86CA315959286FA553C56    
Backdoor.Trojan [PCTools]

    Registry Modifications
    * The following Registry Keys were created:
          o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C}
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PsThems
          o HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\PsThems\Settings

    * The newly created Registry Value is:
          o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E09850B8-3A60-D081-6B9B-960D43D3510C}]
                + StubPath = "%Windir%\system32:msxmltwo.exe"




Anubis Report
http://anubis.iseclab.org/?action=result&task_id=17dcf8eaeeed8708481ff44961985d488
          o   RSIS.exe
                +   C:\RSIS.exe
                +   Started by RSIS.exe
                +   Explorer.EXE
                      #   C:\WINDOWS\Explorer.EXE
                      #   RSIS.exe wrote to the virtual memory of this process
                      #   IEXPLORE.EXE
                            *   IEXPLORE.EXE
                            *   Started by Explorer.EXE






 DNS Queries:
        Name: [ js001.3322.org ]          
TCP Connection Attempts
        to 222.35.137.193:220

Hostname: 222.35.137.193
ISP: CHINA RAILWAY TELECOMMUNICATIONS CENTER
Organization: CHINA RAILWAY TELECOMMUNICATIONS CENTER
Country: China 
State/Region: Beijing

Information from Robtex.com