Monday, September 28, 2009

Sept 28. Attack of the Day. Exploit/MSWordAgent!IK Townhall Magazine... from spoofed xxxx@heritage.org

Download Final File of F4 UN.doc (password protected archive. Please contact me if you need the password)

Update January 24, 2010  Abhishek Lyall provided the following information about the file:
" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued..  << Thank you (M)




Virustotal
http://www.virustotal.com/analisis/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac-1256236314File Final File of F4 UN.doc received on 2009.10.22 18:31:54 (UTC)
Result: 4/41 (9.76%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.41     2009.10.22     Exploit.MSWord.Agent!IK
Antiy-AVL     2.0.3.7     2009.10.22     Exploit/MSWord.Agent
Ikarus     T3.1.1.72.0     2009.10.22     Exploit.MSWord.Agent
Kaspersky     7.0.0.125     2009.10.22  Exploit.MSWord.Agent.ac
File size: 1440768 bytes
MD5   : 76af62049aa95ba30214cabb5baf1342
SHA1  : 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac


I don't know why a-squared stopped detecting it. One month later detection is still very low.

http://www.virustotal.com/analisis/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac-1261374317
File Final_File_of_F4_UN.doc received on 2009.12.21 05:45:17 (UTC)
Result: 3/41 (7.32%)
Antiy-AVL    2.0.3.7    2009.12.18    Exploit/MSWord.Agent
Authentium    5.2.0.5    2009.12.02    MSWord/Dropper.B!Camelot
Kaspersky    7.0.0.125    2009.12.21 Exploit.MSWord.Agent.ac
Additional information
File size: 1440768 bytes
MD5...: 76af62049aa95ba30214cabb5baf1342
SHA1..: 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac

to be continued..

No comments:

Post a Comment