Friday, October 30, 2009

Oct-29 PDF attack. PART II -- North Korea - from georgeyork@mail.house.gov - 204.174.223.60 Thu, 29 Oct 2009 08:41:03 -

http://www.virustotal.com/analisis/37ac149b6dc8b377d481b8d5b3147039b2aecbfe834f300a97f8de14c2ae115b-1256922861
Dear Colleague,
Attached is the report on North Korea. Please let me know if you have any interest in this.
Regards,
George York
House Committee on Ways & Means
2170 Rayburn House Office Building
Tel: (202) 225-5021
Fax: (202) 225-2035

Avast 4.8.1351.0 2009.10.29 PDF:Dropper-E
BitDefender 7.2 2009.10.30 Trojan.SWF.HeapSpray.B
DrWeb 5.0.0.12182 2009.10.30 Exploit.PDF.332
F-Secure 9.0.15370.0 2009.10.30 Trojan.SWF.HeapSpray.B
GData 19 2009.10.30 Trojan.SWF.HeapSpray.B
Microsoft 1.5202 2009.10.30 Exploit:Win32/Pidief.X
Additional information
File size: 417217 bytes
MD5...: 56f0aee46d36bb43bed513172e39a38e
SHA1..: 7cd8aaa246ce9e117827178a12ab0169f762fa0d
SHA256: 37ac149b6dc8b377d481b8d5b3147039b2aecbfe834f300a97f8de14c2ae115b
ssdeep: 768:MkcWFYRkrEPz7OAFzqJBEWcCm+BwQroYPu1PDjHE/rec+8N7zJv9lJtdRx7s
sJpV:lcWM/3UBEFq8ieLjkJ+Ov9ldR/OcX

Oct 29 CVE-2009-1862 North Korea - from Spoofed georgeyork@mail.house.gov - 204.174.223.60 Thu, 29 Oct 2009 08:41:03 -

Download 56F0AEE46D36BB43BED513172E39A38E-North Korea.zip (password protected archive, please contact me if you need the pasword)


 Details 56F0AEE46D36BB43BED513172E39A38E-North Korea


 

From: York, George [mailto:georgeyork@mail.house.gov]
Sent: Thursday, October 29, 2009 9:41 AM
To: Undisclosed-Recipient:;
Subject: North Korea

Dear Colleague,
 
Attached is the report on North Korea.  Please let me know if you have any interest in this.
 
Regards,
 
George York 
House Committee on Ways & Means
2170 Rayburn House Office Building
Tel:  (202) 225-5021
Fax: (202) 225-2035
Update of December 16, 2009 - file rescan
http://www.virustotal.com/analisis/37ac149b6dc8b377d481b8d5b3147039b2aecbfe834f300a97f8de14c2ae115b-1261021294
Antivirus Version Last Update Result
Avast 4.8.1351.0 2009.12.17 PDF:Dropper-E
BitDefender 7.2 2009.12.17 Trojan.SWF.HeapSpray.B
ClamAV 0.94.1 2009.12.17 Exploit.PDF-708
Comodo 3268 2009.12.17 UnclassifiedMalware
DrWeb 5.0.0.12182 2009.12.17 Exploit.PDF.332
F-Secure 9.0.15370.0 2009.12.16 Trojan.SWF.HeapSpray.B
GData 19 2009.12.17 Trojan.SWF.HeapSpray.B
Kaspersky 7.0.0.125 2009.12.17 Exploit.SWF.Agent.ci
McAfee 5834 2009.12.16 Exploit-PDF.z
McAfee+Artemis 5834 2009.12.16 Exploit-PDF.z
Microsoft 1.5302 2009.12.16 Exploit:Win32/Pidief.X

PCTools 7.0.3.5 2009.12.17 Trojan.Generic
Sunbelt 3.2.1858.2 2009.12.17 Exploit.PDF-JS.Gen (v)

Oct.29 PDF attack. NYT op ed by NAJIM ABED AL-JABOURI from expert-wgs@usip.org - Thu, 29 Oct 2009 08:41:03

The message sender was expert-wgs@usip.org ambdavidmack@yahoo.com The message originating IP was 64.18.0.20 The message recipients were ouruser@ourdomain.org The message was titled NYT op ed by NAJIM ABED AL-JABOURI The message date was Thu, 29 Oct 2009 10:48:47 -0700 The message identifier was <717097.91003.qm@web45801.mail.sp1.yahoo.com> The virus or unauthorised code identified in the email is: >>> Possible MalWare 'JS/Selfaltering.TxSp' found in >>> '5964260_2X_PM2_EMQ_MH__message.htm'. Heuristics score: 321

Compromised computer

C:\RECYCLER\1\nc\exe. And in the black screen that pops up it reads: mail.linkum.com.br [216.75.20.82] 8082 (?) open
Hostname:
mail.linkum.com.br
ISP:
California Regional Intranet
Organization:
California Regional Intranet
Proxy:
None detected
Type:
Corporate
Blacklist:
Geo-Location Information
Country:
United States
State/Region:
ME
City:
Prospect Harbor
Latitude:
44.4286
Longitude:
-68.0052
Area Code:
207

Thursday, October 15, 2009

Oct. 15, 2009 Attack of the Day. Trojan.Swifi /Trojan.SWF.HeapSpray.B / Exploit:Win32/Pidief.S 中共二炮部隊導彈之發展 The Development of Communist China's Second Artillery Corps Missile from F560123@ms13.hinet.net Thu 10/15/2009 10:50 PM


Download infected pdf 新型導彈技術發展.pdf (Password protected archive. Please contact me if you need the password)


From: CHaiwang [mailto:F560123@ms13.hinet.net]
Sent: Thursday, October 15, 2009 10:50 PM
To:
Subject: 中共二炮部隊導彈之發展

請參閱附件!!!!

中共解放軍研究所
蔡萬助
2009/10/16

注意: 若要保護電腦對抗病毒,電子郵件程式可以防止傳送或接收特定類型的檔案附件。請檢查您的電子郵件安全性設定來確定附件如何處理


    machine translation (pls contribute a better one, thank you)

 From: CHaiwang [mailto: F560123@ms13.hinet.net]
    
Sent: Thursday, October 15, 2009 10:50 PM
    
To:
    
Subject:
    
Please refer to Annex!!!!
    
Chinese People's Liberation Army Institute of ?

        2009/10/16
    Note: To protect your computer against viruses, e-mail program can prevent sending or receiving certain types of file attachments. Please check your e-mail security settings to determine how to handle attachments

Virustotal results
http://www.virustotal.com/analisis/e13fa200c0b2ac9c9f2c722b261ca881a7bee277014ca6e85cff5db3941d6643-1261108031File ________________________.pdf received on 2009.12.18 03:47:11 (UTC)
Result: 18/41 (43.90%)
 Compact Print results  Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.18 Exploit.Win32.Pidief!IK
AntiVir 7.9.1.114 2009.12.17 EXP/Pidief.ban
Antiy-AVL 2.0.3.7 2009.12.17 Exploit/Win32.Pidief
Authentium 5.2.0.5 2009.12.02 PDF/Expl.CG
Avast 4.8.1351.0 2009.12.18 PDF:Dropper-D
BitDefender 7.2 2009.12.18 Trojan.SWF.HeapSpray.B
ClamAV 0.94.1 2009.12.18 Exploit.PDF-247
Comodo 3279 2009.12.18 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.16 Win32.Swifi
F-Secure 9.0.15370.0 2009.12.17 Exploit:W32/Pidief.JC
GData 19 2009.12.18 Trojan.SWF.HeapSpray.B
Ikarus T3.1.1.79.0 2009.12.18 Exploit.Win32.Pidief
Kaspersky 7.0.0.125 2009.12.18 Exploit.Win32.Pidief.crd
McAfee-GW-Edition 6.8.5 2009.12.18 Exploit.Pidief.ban
Microsoft 1.5302 2009.12.18 Exploit:Win32/Pidief.S
Panda 10.0.2.2 2009.12.15 Exploit/Pdfka
PCTools 7.0.3.5 2009.12.18 Trojan.Swifi
Symantec 1.4.4.12 2009.12.18 Trojan.Swifi 


Tuesday, October 13, 2009

Oct.13 PDF attack Taiwan op-ed - from imbsecurty@gmail.com Tue, 13 Oct 2009 22:08:02 +0800 -

The message sender was
imbsecurty@gmail.com
The message originating IP was 209.85.216.187 The message recipients were
ouruser@ourdomain.org

The message was titled Taiwan op-ed
The message date was Tue, 13 Oct 2009 22:08:02 +0800 The message identifier was <d3fe9be60910130708u204cb8bo4ee320dc72621dfd@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'Exploit/Zordle.gen' found in '5832758_3X_PM5_EMS_MA-PDF__Taiwan=20op=2Ded.pdf'. Heuristics score: 201
Possible MalWare 'Exploit/SWF.Noppy.gen' found in '5832758_3X_PM5_EMS_MA-PDF__Taiwan=20op=Ded.pdf::pdf_extract_0'. Heuristics score: 200
Possible MalWare 'Exploit/SWF.Noppy.gen' found in '5832758_3X_PM5_EMS_MA-PDF__Taiwan=20op=Ded.pdf::pdf_extract_1'. Heuristics score: 200



Friday, October 2, 2009

Oct. 2 PDF attack of the day. Fwd: U.S. Assiatance to North Korea from mark.manyin@gmail.com Fri, 2 Oct 2009 22:22:06


Download 028ebdeea729a8c18ca1406ff102088d U.S. Assiatance to North Korea.pdf (Password protected archive. Please contact me if you need the password)

From: Mark Manyin [mailto:mark.manyin@gmail.com]
Sent: Friday, October 02, 2009 10:22 AM
Subject: Fwd: U.S. Assiatance to North Korea

Dear Colleagues,

I was able to secure permission to forward you the attached report on U.S. Assiatance to North Korea. We intentionally kept it short report, in hopes that it would increase its readership.

Please share with your colleagues. Also, please share their comments, observations and questions.

Best,

Mark Manyin
Specialist in Asian Affairs
Congressional Research Service
7-7653


The message sender was
    mark.manyin@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
xxx@xxx.xxx

The message was titled Fwd: U.S. Assiatance to North Korea The message date was Fri, 2 Oct 2009 22:22:06 +0800 The message identifier was <1aa371b60910020722l10e85dd1v7b8fb8b4f05514bc@mail.gmail.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Fri Oct  2 14:40:46 2009 Database version: 2009-10-02_07

attach/5965436_3X_PM5_EMS_MA-PDF__U.S.=20Assiatance=20to=20North=20Korea.pdf: Infected: Exploit.Win32.Pidief.bvw [AVP]

Scan ended at Fri Oct  2 14:40:46 2009
2 files scanned
1 file infected