Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Friday, November 27, 2009

熊猫烧香 Panda Burning Incense virus - the new version is a variant, called Worm_Piloyd.B

Li Jun, aka “Virus King,” designed the 熊猫烧香 / Panda Burning Incense / joss-sticks virus that wreaked havoc in China in 2006 - 2007.  He spent 2 1/2 years in prison and was/is supposed to be released in the end of this year. Maybe he already was because a new version of this virus is now making rounds in China


Here is a Chinese language article (Google translated) about the author of the virus


The script below (from someone by name 'bobo') is supposed to remove the original version of the virus:





Nov.25 PDF attack: MOU from cwfhom@gmail.com Nov 25, 2009 10:25 PM


Download the infected pdf (password protected, contact me for the password)





本會與大陸三金融監理機關所簽署之監理合作備忘錄現正陳報行政院核可中,謹將備忘錄相關事項彙整如附件,敬請參閱,謝謝。

如須其他資訊,請隨時告知。

順頌時祺

周鳴皋敬上

金管會

Google Translate

From: Arthur Chou [cwfhom@gmail.com]
To: Ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 10:25 PM
Subject: MOU

This Council and the mainland three financial supervisory authorities signed a memorandum of cooperation is now Commissioner of the Executive Yuan for approval in Chen, I would like to compile a memorandum related matters, such as accessories, please read, thank you.

If any, additional information, please feel free to tell.

When Qi Shun Chung

Zhou Minggao Sincerely,

FSC


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=5b4f2df5c95ea65736adbd60ed4f96be&type=js

Result - suspicious


Virustotal analysis
http://www.virustotal.com/analisis/935aacc944172c155c6884ef8e70ec14a400a6de409aa024bbfa6a396853d656-1259261293

AntiVir 7.9.1.79 2009.11.26 HTML/Rce.Gen
McAfee-GW-Edition 6.8.5 2009.11.26 Heuristic.Script.Rce
Microsoft 1.5302 2009.11.26 Exploit:Win32/ShellCode.A
NOD32 4640 2009.11.26 PDF/Exploit.Gen
Norman 6.03.02 2009.11.25 JS/ShellCode.C 



 

Wednesday, November 25, 2009

Nov.25 PDF attack. Letter on Taiwan from rupertjhc@gmail.com Nov 25, 2009 11:23 AM


Download the infected PDF (password protected, you have to contact me for the password)
This one is quite interesting:



From Rupert Hammond-Chambers [rupertjhc@gmail.com]
To ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 9:54 AM
Subject Letter on Taiwan

Dear Colleagues,

I first would like to extend my heartfelt gratitude for the support that you and other members of Congress have demonstrated to the Republic of China (Taiwan) over the last 30 years. Despite the absence of official relations, our common goals and interests remain strong.
Our nation has attempted to purchase follow-on F-16s since 2006 to upgrade our national defense by replacing our F-5s and other antiquated equipment and thereby respond to the growing threat that the People’s Republic of China (PRC) and its military’s modernization efforts represents to peace and security in the Taiwan Strait. We respectively ask you to support our clear military need to upgrade our F-16 force by supporting a follow-on sale of F-16s. Your support will contribute immeasurably to America and Taiwan’s shared interest in democracy and peace and security in the Taiwan Strait.
Sincerely yours,

Rupert

--
Rupert Hammond-Chambers
President
US-Taiwan Business Council
________________________________
1700 North Moore Street, Suite 1703
Arlington, Virginia 22209
United States of America
Telephone: (703) 465-2930
Mobile: (202) 445-4777
Facsimile: (703) 465-2937
www.us-taiwan.org




Monday, November 23, 2009

Nov.23 PDF attack. The three undisclosed secret in President Obama Tours Asia Nov 23, 2009 11:23 AM from jenniferf.carlson@yahoo.com

Download the malicious PDF (password protected, you have to contact me for the password)
http://www.mediafire.com/?0ozfmnnegnh


The three undisclosed secret in President Obama Tours Asia

Sent: Mon 11/23/2009 11:23 AM
From: Jennifer F. Carlson [jenniferf.carlson@yahoo.com]

fyi.

The three undisclosed secret in President Obama Tours Asia.


The message sender was
    jenniferf.carlson@yahoo.com

The message originating IP was 68.142.206.162 The message recipients were
    ouruser@ourdomain.xxx

The message was titled The three undisclosed secret in President Obama Tours Asia The message date was Mon, 23 Nov 2009 08:22:38 -0800 (PST) The message identifier was <881116.55087.qm@web111811.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Mon Nov 23 16:22:42 2009 Database version: 2009-11-23_10

attach/5963917_3X_PM5_EMS_MA-PDF__ObamaAndAsia.pdf: Infected: Exploit.SWF.Agent.ci [AVP]



Virustotal analysis

File ObamaAndAsia.pdf received on 2009.11.25 06:39:38 (UTC)

Result: 5/41 (12.2%)

Antivirus Version Last Update Result

BitDefender 7.2 2009.11.25 Trojan.SWF.HeapSpray.B
F-Secure 9.0.15370.0 2009.11.24 Trojan.SWF.HeapSpray.B
Kaspersky 7.0.0.125 2009.11.25 Exploit.SWF.Agent.ci
GData 19 2009.11.25 Trojan.SWF.HeapSpray.B
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)

Wednesday, November 18, 2009

Nov.18 PDF attack. U.S. ship thwarts second pirate attack November 18, 2009.pdf Nov 18, 2009 10:38:02 AM from michael.gillenwater@dhs.gov (Spoofed sender)


Download the malicious pdf (password protected, you have to contact me for the password)
http://www.mediafire.com/?ul3dzn5zqum
Email message text

Fw: U.S. ship thwarts second pirate attack November 18, 2009
michael.gillenwater
To: Undisclosed-Recipient:;
Sent: 11/18/2009 10:38 AM
>>
>>
>>> FYI
>>>
>>>
>>> ----- Original Message -----
>>> From: "Antweiler"
>>> To:
>>> Sent: Wednesday, November 18, 2009 4:40 AM
>>> Subject:Today: U.S. ship thwarts second pirate attack

Wepawet analysis
http://wepawet.cs.ucsb.edu/view.php?hash=0b9e08970966b28ad05300038a16ba22&type=js
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File    U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5    0b9e08970966b28ad05300038a16ba22
Analysis Started    2009-11-18 07:50:52
Report Generated    2009-11-18 07:50:57
JSAND version    1.03.02
Detection results
Detector    Result
JSAND 1.03.02    malicious

Exploits
Name    Description    Reference


Adobe Collab overflow    Multiple Adobe Reader and Acrobat buffer overflows    CVE-2007-5659

Adobe getIcon    Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object    CVE-2009-0927




Heap Spraying with Actionscript by FireEye and From Targeted PDF Attack to Backdoor in Five Stages y McAfee



Excerpt
FireEye Malware Intelligence Lab
Julia Wolf @ FireEye Malware Intelligence Lab

Heap Spraying with Actionscript

Why turning off Javascript won't help this time
 Introduction


As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.


Background Summary


Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.


But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll” files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]


Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. More
II. http://www.avertlabs.com/research/blog/index.php/2009/09/14/from-targeted-pdf-attack-to-backdoor-in-five-stages/

McAfee Labs Blog
Excerpt
          From Targeted PDF Attack to Backdoor in Five Stages
          Monday September 14, 2009 at 12:33 pm CST
          Posted by Dennis Elser

 As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.


The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection. More

Saturday, November 14, 2009

Tuesday, November 10, 2009

Nov.8 PDF attack 國防部人力司招聘「專案研究助理」 from administrators@mnd.gov.tw Sun, Nov 08, 2009 8:13 PM

From: 國防部人力司 [mailto:administrators@mnd.gov.tw]
Sent: Sunday, November 08, 2009 8:13 PM
To: ouruser@ourdomain
Subject: 國防部人力司招聘「專案研究助理」
如附件所示,請 鑒核。
國防部人力司李意超敬上
地址:臺北市博愛路172號.

Approx. Translation:
Dept of Defense Manpower Division is recruiting a special research assistant
Please see attached.
Department of Defense Manpower Division
LI Yi-chao Sincerely,
Address: No. 172 Po-ai Road, Taipei.


Wepawet Analysis report for 國防部人力司招聘「專案研究助理 .pdf
Sample Overview
File 國防部人力司招聘「專案研究助理.pdf
MD5 35300c972545b9ae6efac2d24fea8b67
Analysis Started 2009-11-10 20:44:08
Report Generated 2009-11-10 20:44:18
Jsand version 1.03.02
Detection results
Detector Result
Jsand 1.03.02 malicious

Exploits

Sunday, November 8, 2009

COFEE v112

COFEE - Computer forensics tool


Excerpt
What is COFEE?
COFEE has been designed to provide the investigator the ability to collect evidence from a target system
with the minimum of user interaction. After the GUI interface generates a COFEE USB device (copies all
scripts and programs), the investigator can take the device and easily insert it onto a target machine,
and begin the collection process by executing a single program.

Published by NIJ (56)


DOJ Computer forensics tool testing reports

Friday, November 6, 2009

Nov.6 PDF attack. Obama visit Asia from [username]098@gmail.com Nov 6, 2009 8:38:57 AM


Possible MalWare 'Exploit/Zordle.gen' found in '5963792_3X_PM5_EMS_MA-PDF__Obama=20visit=20Asia.pdf'. Heuristics score: 201
From: "[REMOVED]" [mailto:098@gmail.com
Sent: Friday, November 6, 2009 8:38:57 AM GMT -05:00 US/Canada Eastern
Subject: Obama's visit to Asia


Dear Colleagues,


With the upcoming Obama's visit to Asia, please find the attached paper for your kind reference.
Should you have any questions, please contact me.
Best regards,
--
signature here [REMOVED]

File Obama_visit_Asia.pdf received on 2009.11.06 18:05:36 (UTC)

Current status: finished
Result: 4/41 (9.76%)

AntivirusVersionLast UpdateResult
a-squared4.5.0.412009.11.06-
AhnLab-V35.0.0.22009.11.06-
AntiVir7.9.1.592009.11.06-
Antiy-AVL2.0.3.72009.11.05-
Authentium5.2.0.52009.11.06PDF/Pidief.O
Avast4.8.1351.02009.11.06-
AVG8.5.0.4232009.11.06-
BitDefender7.22009.11.06Exploit.PDF-JS.Gen
CAT-QuickHeal10.002009.11.06-
ClamAV0.94.12009.11.06-
Comodo28622009.11.06-
DrWeb5.0.0.121822009.11.06-
eSafe7.0.17.02009.11.05-
eTrust-Vet35.1.71072009.11.06-
F-Prot4.5.1.852009.11.06-
F-Secure9.0.15370.02009.11.04Exploit.PDF-JS.Gen
Fortinet3.120.0.02009.11.06-
GData192009.11.06Exploit.PDF-JS.Gen
IkarusT3.1.1.74.02009.11.06-
Jiangmin11.0.8002009.11.06-
K7AntiVirus7.10.8902009.11.06-
Kaspersky7.0.0.1252009.11.06-
McAfee57932009.11.05-
McAfee+Artemis57942009.11.06-
McAfee-GW-Edition6.8.52009.11.06-
Microsoft1.52022009.11.06-
NOD3245802009.11.06-
Norman6.03.022009.11.06-
nProtect2009.1.8.02009.11.06-
Panda10.0.2.22009.11.05-
PCTools7.0.3.52009.11.06-
Prevx3.02009.11.06-
Rising21.54.44.002009.11.06-
Sophos4.47.02009.11.06-
Sunbelt3.2.1858.22009.11.06-
Symantec1.4.4.122009.11.06-
TheHacker6.5.0.2.0622009.11.05-
TrendMicro9.0.0.10032009.11.06-
VBA323.12.10.112009.11.06-
ViRobot2009.11.6.20252009.11.06-
VirusBuster4.6.5.02009.11.06-


File
Obama visit Asia.pdf
MD533aa28b079b33c1609f9096ee78e73c8
Analysis Started2009-11-06 12:10:45
Report Generated2009-11-06 12:10:53
Jsand version1.03.02

Detection results

DetectorResult
Jsand 1.03.02malicious

Exploits

NameDescriptionReference
Adobe Collab overflowMultiple Adobe Reader and Acrobat buffer overflowsCVE-2007-5659
Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927

 

 

 










Monday, November 2, 2009

Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)

Win32/Opachki.A --Virustotal-all antivirus names for it. The real tragedy is in those http://www.threatexpert.com/report.aspx?md5=87a2583de6f6fbb5104e0433e89b1bcf


nsrbgxod.bak created by Opachki http://www.threatexpert.com/report.aspx?md5=87a2583de6f6fbb5104e0433e89b1bcf and nsrbgxod.bak created by Zeus/ZBot http://www.threatexpert.com/report.aspx?md5=00f2fd5e2c125965c188754f04da576c

Different hash


SecureWorks Opachki Trojan Analysis http://www.secureworks.com/research/threats/opachki

Threatexpert

Submission details:

Filename(s)

1 %Temp%\nsrbgxod.bak

0 bytes


MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %UserProfile%\protect.dll
%Programs%Startup\ChkDisk.dll
%System%\autochk.dll


[file and pathname of the sample #1]


24,064 bytes

MD5: 0x87A2583DE6F6FBB5104E0433E89B1BCF

SHA-1: 0x6048D36DB2207A1CEA877742C9403A816D711C6D

Mal/UnkPack-Fam
[Sophos]

TrojanDropper:Win32/Opachki.A

[Microsoft]

Trojan-Dropper.Win32.Opachki

[Ikarus]

3 %Programs%\Startup\ChkDisk.lnk



655 bytes



MD5: 0x6F61156F14AEED438770D31391E67EC9

SHA-1: 0x277B806CEC1AEDE9F9B934B7DD655D0BBB542597

Read more -  Update March 2010 

New banking trojan W32.Silon -msjet51.dll

If you have msjet51.dll in system32, you probably have a very dangerous banking trojan on your computer.