Pages

Tuesday, February 23, 2010

Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from diguapinggao@gmail.com Febr 22, 2010 4:17 AM

This is an old exploit targeting systems that have been unpatched for a long time. It appears that the document was created using 2007最新DOC捆绑器 (thanks to zha0 for helping translate and spell the tool name). The tool can be easily found online and is designed to exploit CVE-2006-6456 / MS07-014 vulnerabitly. According to the Symantec post describing this tool in April 2007, shellcode in documents generated by the tool usually starts at offset 0x16730, which seems to be our case too. The exploit will not work on Office 2003 SP3 and earlier versions with MS Update kb 929434 (MS07-014).

Update March 3, 2010 - Abhishek Lyall kindly provided additional details about the sample
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you  XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see his screenshot below


 
Download  the following files as a password protected archive. (Please contact me if you need the password)





├───analysis files (by Tom - see below)
exe (taskmgr.ex   441D239744D05B861202E3E25A2AF0CD 32,768 bytes; taskmgr.idb)
│ shell  (shel1.bin; shel1.idb; shel2.bin; shel2.idb)
├───collected
│ 1.tmp                   441D239744D05B861202E3E25A2AF0CD 32,768 bytes
│ Taiwan 2010.doc 85AF26A74E548B56ADEA933CFB878520 52,224 bytes
│ taskmgr.exe          441D239744D05B861202E3E25A2AF0CD 32,768 bytes
└───original doc
   Taiwan 2010.doc  9EF09819AA5D552ECB15067A14A33152 183,808 bytes



From: 孙丰 [mailto:diguapinggao@gmail.com]
Sent: Monday, February 22, 2010 4:17 AM
To: diguapinggao@gmail.com
Subject: Taiwan 2010







Feb 20 CVE-2006-2492 MS Word w Trojan.Buzus.U Mainland Affairs Council list of the week itinerary from macnews@mac.gov.tw

Download 20100214陸委楔@週活動一覽表(新增).doc as a password protected archive (please contact me if you need the password)

Details D05E0400B62687B5796C5D1B5CCDF6EE -- 20100214陸委楔@週活動一覽表(新增).doc

Update March 3, 2010  Abhishek Lyall (thank you!) provided additional details for this sample:
"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010.  The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0"  but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."

Analysis of the binary 
Trojan.Buzus.U
Download
096239F5CF4E1255634F3F2E7DE8824E - WinHttp.exe 23,664 bytes
1796E908A782FBB445C96D88F4B84D9D original.doc 45056 bytes
 as a password protected archive (please contact me if you need the password)


From: macnews [mailto:macnews@mac.gov.tw]
Sent: Saturday, February 20, 2010 10:49 PM
To: XXXXXXXXXXXXXX
Subject: 陸委會一週行程一覽表

您好!
附件檔為陸委會一週行程一覽表(新增2/17賴主委行程)新聞參考資料,  提供您參考!

行政院大陸委員會聯絡處 敬上



Google Translate
From: macnews [mailto: macnews@mac.gov.tw]Sent: Saturday, February 20, 2010 10:49 PMTo: XXXXXXXXXXXXXXXXXSubject: MAC list of the week itineraryHello!Attachment file for the Mainland Affairs Council, a list of one week trip (new 2 / 17 Lai, chairman of the stroke) news references for your reference!
 
Sincerely, the Executive Yuan's Mainland Affairs Council Liaison Office

Headers
Received: from CC-8575FC5050CF (61-221-98-169.HINET-IP.hinet.net [61.221.98.169])
    by msr29.hinet.net (8.9.3/8.9.3) with SMTP id LAA27251
    for  XXXXXXXXXXXXX   Sun, 21 Feb 2010 11:50:19 +0800 (CST)
Reply-To: macnews@mac.gov.tw
From: "macnews"
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?BIG5?B?s7CpZbd8pEC2Z6bmtXukQMT9qu0=?=
Date: Sun, 21 Feb 2010 11:48:35 +0800
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_10022111450473483032267_000"
X-Priority: 3
X-Mailer: OutLook   6.1.1.0

61.221.98.169
HiNet Chunghwa Telecom Co., Ltd. Data Communication Business Group (HiNet)inetnum: 61.221.98.160 - 61.221.98.175
netname: CHANGHUA-SOCIEPT-NT-TW
descr: International Changhua Society Educate Nantou Society Educate Workstation
descr: Nantou City County Taiwan
country: TW
admin-c: GRC2-TW
tech-c: GRC2-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: network-adm@hinet.net 20011002
status: ASSIGNED NON-PORTABLE
source: TWNIC

Saturday, February 20, 2010

Slow / busy days

I noticed a significant reduction of targeted mailings during the past week - from many a day to zero. That's right, there were zero arrivals/submissions all week. We get most of targeted email from Asia and it just occurred to me that maybe the Lunar New Year (aka Chinese New Year) and more than two weeks of associated festivities is the reason - much in the same way as weekends I wrote about before. There is no scientific proof, it is just an idle observation. If I am correct, I don't know if sending malware laden messages would bring bad luck to the sender for the whole year or there is some other superstition at play, or they are just busy.  The New Year celebrations continue for 15 days, I am curious if I see anything new next week, or week after that, or all the malware malings stopped forever =)

I do have a lot of older messages and malware items to post and I have not been posting many for the lack of time during the past week. I will soon.

I wish everyone Happy New Year. Please accept our best wishes for the year of the Tiger.


Tuesday, February 16, 2010

Malware links (ESET NOD32 virus names)

  •  Mar 5 hxxp://www.sciences-po.org/ contains HTML/ScrInject.B.Gen virus.
  • Feb 24 hxxp://www.raktor.net/exeHelper/exeHelper.com contains probably a variant of Win32/Agent trojan.
  •  Feb 18 hxxp://www1.fast-pc-scanner.in/build6_258.php?cmd=sendFile&counter=1&p=p52dcWppcF/Cj8bYboNuilik12qYVp/Zatrau4FdlJ/JnsWYeHpfqKygdZ6SYJjHZ2dil2lviqDWkaTboKCViaJ0WKrO1c+eb1qfnaSZdV/XlsndblaWpG9rnFuTYGCUXpmSlGprWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bMopmjb5vTh8Smom+coKGZpq2ek83YlpacrF+Zio7PoGvYmdah0qOeYKPU28ylnpVeZ3mZpma2gImZcp+TmpubzY7OVpHTnZ7M1m6xc4iLwtCpbaV2oZmmo2TYjtbKXKWbWpOl1GjDoW3MU8TR02yYo5+iyJZfk6Gpb6eldV/VoKGXY2ZjaGRrlV6WVqTZX6CVlWdtZmiYkpRtWJeccY2H contains a variant of Win32/Kryptik.CLM trojan
  • Feb. 16 hxxtp://google.analytics.com.zelhnalbivd.info/kav/kav3 .asp/eHbcb9bc6cV0100f070006R111090bf102Tf7c2bdef201l0409K80667147318J130204010 contains a variant of Win32/Kryptik.CKT trojan.
  • Feb 15 hxxp://www.usakpedia.com/default.asp contains JS/TrojanDownloader.Agent.NSA
========================================================
  • Feb. 05 hxxp://klaikius.com/news/index.php contains JS/Exploit.Agent.AGC trojan.
  • Feb. 05  hxxp://arra.servehttp.com/nc.jar contains multiple threats. 
  • Feb. 05 hxxp://yvuxksuk.cn/10/andEthics.jar contains probably a variant of Java/TrojanDownloader.Agent.AB trojan.
  •   hxxp://yvuxksuk.cn/10/exactPointMiddle.pdf contains JS/Exploit.Pdfka.NRF trojan. 
  • Feb. 5 hxxp://klaikius.com/news/index.php contains JS/Exploit.Agent.AGC trojan.
  • Feb. 5 hxxp://huliganseres.net//pdf.php contains JS/Exploit.Pdfka.NQQ trojan.
  • Feb. 5 hxxp://www.cald.org/site/js/ddaccordion.js contains JS/TrojanDownloader.Agent.NRO trojan.
  • Feb. 5 hxxp://www.drr.gov.bd/ contains JS/TrojanDownloader.Agent.NRL trojan.
  • Feb. 5  hxxp://www.reflecttass.com.br/unicor/MailboxMicrosoft09328.zip contains a variant of Win32/TrojanDownloader.Banload.OEL trojan.
  •  =============================
  • hxxp://google.analytics.com.jvoamkvyxv.info/nte/avorp1kav1.html/oU230d9c2eHbcb9bc6cV0100f070006R8bbc0d14102Tf7d8079a201l0409Kdbd3cfa3317 contains JS/Exploit.Pdfka.ASD trojan.
  • hxxp://www.cald.org/site/js/jquery-1.js contains JS/TrojanDownloader.Agent.NRO trojan.
  •  hxxp://ww2.millages.net/pqothqzoetqopww/xd/pdf.pdf contains PDF/Exploit.Gen trojan.
  •   hxxp://eiypqcionpdv.com/nte/avorp1kav1.php/oU230d9c2eHbcb9bc6cV03007f35002Re5e732c2102Tf7e6c576Q00000000901801F00000000J11000601l0409K7044875f317  -contains JS/Exploit.Pdfka.ASD trojan.
  •   hxxp://ditrnbibarsp.com/kav/KAV1.php/oHbcb9bc6cV0100f070006Rf129df8a102Tf7e753eb201l0409K9395be4b317 contains JS/Exploit.Pdfka.ASD trojan.
  •  hxxp://google.com.analytics.qehtsmuqcun.com/nte/trest11/oHbcb9bc6cV0100f070006Rac213110102Tf7e428df201l0409K0dedc3c0317 contains JS/Exploit.Pdfka.ASD trojan.
  •  hxxp://www.marines.cc/data.js contains JS/TrojanDownloader.Agent.NRK trojan.
  •    hxxp://www.reflecttass.com.br/unicor/MailboxMicrosoft09328.zip contains a variant of Win32/TrojanDownloader.Banload.OEL trojan.
  •   hxxp://www.drr.gov.bd/ contains JS/TrojanDownloader.Agent.NRL trojan
  •   hxxp://google.com.analytics.gfjpoiqgcun.com/nte/TREST11.py/oHbcb9bc6cV0100f070006Rac213110102Tf7ec50ba201l0409K848c964d317 contains JS/Exploit.Pdfka.ASD trojan
  •  hxxp://www.deaf-video.de/3c55ea9320fcadfabb79d08f91bef510/.a1/pdf.php contains PDF/Exploit.Pidief.OJS.Gen trojan   (manual[1].pdf)
   

Monday, February 15, 2010

MD5 / SHA1 / CRC32 hashes of files available upon request (Malicious mail attachments - MS Office, PDF, and others)

Malicious mail attachments - MS Office, PDF, and others

The following files are available for research upon request. Please check the malware list first, some of them are already listed with download links. 

All these files were scanned with Virustotal. Use VT hash search for more details. I will add more files later.

Full list of files





MD5 / SHA1 / CRC32 hashes of files available upon request (Client side malware, tools, dropped files, etc)

Client side - malware, potentially unwanted applications, and tools

These files are available for research upon request. 

All these files were scanned with Virustotal. Use VT hash search for more details.

If you need information about these files (origin or associated files), email me, I might have a few things to say

Full list of files ---




MD5 / SHA1 / CRC32 hashes of files available upon request (from Malware kits)

These binaries are part of various trojans and malware kits. Full kits / programs / sources are available for research upon request.

Malware kits -  binaries only listed. Some of them were scanned with Virustotal at some point. Use VT hash search for more details

Full list of files





Wednesday, February 10, 2010

Feb 10 CVE-2009-4324 Rep. Mike Castle faking @ssd.com sender 2010-02-10 10:08 AM

This post is to be continued...


According to  Villy (thanks, Villy :)) the file contains two embedded pdfs - one small with js exploiting CVE-2009-4324 and one larger clean file. There is also a xored exe between those two files.
It is a very nice package.



 
From:[Redacted] [mailto:[Redacted]@gmail.com]
Sent: 2010-02-10 10:08 AM
Subject: Rep. Mike Castle

Attached is an invitation for a February 15 reception honoring Rep. Mike Castle (R-De) in his candidacy for the U.S. Senate.   I hope you will be able to join us.

Although his expected Democrat opponent has dropped out of the race, the New Castle County Executive has already announced his intention to seek the Democractic nomination.  Hence, Mike's political situation is strong, but the Democrats are expected to make a full scale contest out of this race.

Presuming your support, Mike will make a great contribution in the Senate for Delaware and the Country.

Please send your response to me at: [Redacted]@gmail.com

All best,

[Redacted]
[Redacted]
[Redacted]@ssd.com

Direct: +1.[Redacted]
Fax: +1.[Redacted]
Mobile: +[Redacted]

Squire Sanders Public Advocacy, LLC
a wholly owned non-law firm affiliate of
Squire, Sanders & Dempsey L.L.P.
Suite 500
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004

sspa.ssd.com

Squire Sanders|Legal Counsel Worldwide
32 Offices in 15 Countries
Cincinnati • Cleveland • Columbus • Houston • Los Angeles • Miami • New York • Palo Alto • Phoenix • San Francisco • Tallahassee • Tampa • Tysons Corner • Washington DC • West Palm Beach | Bogotá+ • Buenos Aires+ • Caracas • La Paz+ • Lima+ • Panamá+ • Rio de Janeiro • Santiago+ • Santo  Domingo • São Paulo | Bratislava • Brussels • Bucharest+ • Budapest • Dublin+ • Frankfurt • Kyiv • London • Moscow • Prague • Riyadh+ • Warsaw | Beijing • Hong Kong • Shanghai • Tokyo
+Independent Network Firm

NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.


IRS Circular 230 Notice: To comply with U.S. Treasury regulations, we advise you that any U.S. federal tax advice included in this communication is not intended or written to be used, and cannot be used, to avoid any U.S. federal tax penalties or to promote, market, or recommend to another party any transaction or matter.


Original PDF
 http://www.virustotal.com/analisis/70f43ed12ff8c48156f5d1ad9e09f12ecbcff77f64bbc8a2f58566e3e9f3c06f-1265828519
  File Invitation_to_Mike_Castle_Event.p received on 2010.02.10 19:01:59 (UTC)
Result: 1/41 (2.44%)
Sophos     4.50.0     2010.02.10     Mal/PDFEx-D
File size: 325206 bytes
MD5   : 7775e7ade13d73919e8dca4695ae7d0a

The first unpacked pdf 1.pdf with CVE-2009-4324
http://www.virustotal.com/analisis/e83a2b658f404731e314a8646e258d17a383ac474564c3d5f6ccd36ad2a93c3d-1266008863
Result: 5/41 (12.2%)
Loading server information...
Avast    4.8.1351.0    2010.02.12    JS:Pdfka-gen
BitDefender    7.2    2010.02.12    Exploit.PDF-JS.Gen
GData    19    2010.02.12    Exploit.PDF-JS.Gen
nProtect    2009.1.8.0    2010.02.12    Exploit.PDF-JS.Gen.C02
Sunbelt    5671    2010.02.11    Exploit.PDF-JS.Gen (v)

File size: 7221 bytes
MD5...: caf3ff27a9688097cf13906c117513ef

1.pdf shellcode (again by Villy)

More flowers with some poison ivy


Mikko Hyppönen from F-Secure posted today a nice postcard with a cute tiger and flowers. Gunther (thank you:)) sent one just like Mikko's as a present to Contagio and now you can enjoy them too.


What is interesting is that I have this file already except I received it as a boring "project.pdf"  (Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted]@state.gov 13 Jan 2010 06:17:21 -0000). Of course it is identical to the postcard, despite the uninspiring name.

Update March 8, 2010 -a few additional details thanks to an anonymous contributor. (scroll down)




Download  116d92f036f68d325068f3c7bbf1d535.pdf as a password protected archive (please contact me if you need the password)

Download Javascript, shellcode, stage2 shellcode and dropped exe (scroll down for more information)






Virustotal
File 116d92f036f68d325068f3c7bbf1d535.txt received on 2010.02.09 16:24:16 (UTC)
Result: 21/41 (51.22%)
a-squared 4.5.0.50 2010.02.09 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2010.02.09 PDF/Exploit
Authentium 5.2.0.5 2010.02.09 PDF/Expl.FO
BitDefender 7.2 2010.02.09 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.02.09 Expoit.PDF.FlateDecode
ClamAV 0.96.0.0-git 2010.02.09 Exploit.PDF-9757
Comodo 3876 2010.02.09 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.02.09 Exploit.PDF.687
eSafe 7.0.17.0 2010.02.09 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.02.09 Exploit.PDF-JS.Gen
GData 19 2010.02.09 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.02.09 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.02.09 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.02.09 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5406 2010.02.09 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.02.09 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.02.09 Trojan.Pidief
Sophos 4.50.0 2010.02.09 Troj/PDFJs-GQ
Symantec 20091.2.0.41 2010.02.09 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.02.09 TROJ_PDFKA.AK
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

Wepawet detects it as project.pdf
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
Analysis report for Project.pdf
Sample Overview
File Project.pdf
MD5 116d92f036f68d325068f3c7bbf1d535
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 benign


F-Secure already pointed out that it generates traffic to 202.150.213.12. 
Indeed, a lot of traffic on port 443

      Hostname:    202-150-213-12.rev.ne.com.sg
      ISP:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Organization:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Country:    Singapore
      State/Region:    00
      City:    Singapore

Update March 8, 2010 
Here are a few additional details (thanks to an anonymous contributor)
Shellcode imports via ror7 hashes, 
SetFilePointer, GetFileSize, ReadFile, VirtualAlloc.
http://www.google.com/search?q=0xdbacbe43

The GetFileSize filehandle brute force is not exact, but it additionally checks for signature "0x909083c0" at 0x1510 (location of 2nd stage shellcode).
2nd stage shellcode: xor decrypts itself (0x97) for 0x700 bytes.
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.shellcode-stage2.bin skip=5392 bs=1 count=4096
skip decryption stub (0x1b) and xor the rest with 0x97.

Imports via ror7 hashes:
GetModuleFileNameA
GetFileSize
SetFilePointer
CreateFileA
ReadFile
WriteFile
CloseHandle
WinExec
GetTempPathA
CreateProcessA
GetCurrentProcess
TerminateProcess

Gets filehandle to pdf by exact filesize (0x248CA, 149706) reads from file @ 0x6BCE file size 0x906E
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.exe.bin bs=1 skip=27598 count=36974
The last byte of the size (0x6E) is used as xor key, on every byte the key is decreased with 1.
( this is something you can add to your heuristics)

 After that the embedded pdf is decrypted, Acrobat reader starts while the old process gets terminated. 

Monday, February 8, 2010

List of Aurora / Hydraq / Roarur files

I see multiple searches for Hydraq MD5 information leading to this post -Trojan.Hydraq detection and naming so I am adding a few things now.
McAfee issued a guide outlining all the symptoms of Aurora infection "How Can I Tell if I Was Infected By Aurora?"

Links to Virustotal
The list of files provided by McAfee is the following
You also may have the following files or same name files but different MD5 hash

Additional - list from ANTY Security

* Password protected archive, please contact me for the password if you need it.

Friday, February 5, 2010

Contact me If you are the one who submitted binary 09E25BB934D8523FCCD27B86FBF4F8CE to ThreatExpert

 I will tell you what it is, if you don't know and I will seek more information if you have.
 09E25BB934D8523FCCD27B86FBF4F8CE
 
http://www.threatexpert.com/report.aspx?md5=09e25bb934d8523fccd27b86fbf4f8ce

Submission received: 2 February 2010, 14:03:33
Processing time: 5 min 58 sec
Submitted sample:
File MD5: 0x09E25BB934D8523FCCD27B86FBF4F8CE
File SHA-1: 0xA51D560158E3D35B1618D236C28AE0B722AC7CC0
Filesize: 215,552 bytes
 Technical Details:
  File System Modifications
The following file was created in the system:
# Filename(s) File Size File Hash
1 [file and pathname of the sample #1]  215,552 bytes MD5: 0x09E25BB934D8523FCCD27B86FBF4F8CE
SHA-1: 0xA51D560158E3D35B1618D236C28AE0B722AC7CC0

Thursday, February 4, 2010

Feb 04 Downloader Trojan "Friends say I am free" from joan@fguang.com

This came as a rar archive with a password featured on the postcard 12ab34.What does the postcard say - can anyone translate? This is a lame and huge (2mb) mailing but maybe exe will be of interest for someone, it has a very low detection rate.

Download a694466ea431046d2a063db37390abea Content. Exe - 内容.exe as a password protected archive (contact me for the password if you need it)



Friends say I am free

From: joan [mailto:joan@fguang.com]
Sent: Thursday, February 04, 2010 12:35 PM
To: XXXXXXXXXXXXX
Subject: 朋友们说 我很自由














CW Sandbox
http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=51263117&cs=7F3CF650FE8908CE7DC291901D7A2878


Anubis
http://anubis.iseclab.org/?action=result&task_id=19d68eaed2090ba344d36653cc1feb143&call=first

Virustotal
 http://www.virustotal.com/analisis/9c9743d33025cd50910dfef8a7c2f1560e3d45b85e2871a357b47ccd66749c9a-1265695511
Result: 3/40 (7.5%)
eSafe 7.0.17.0 2010.02.07 Win32.TrojanHorse
F-Secure 9.0.15370.0 2010.02.09 Suspicious:W32/Riskware!Online
Sophos 4.50.0 2010.02.09 Troj/DwnLdr-IAE
File size: 1536904 bytes
MD5...: a694466ea431046d2a063db37390abea

Feb. 1 DarkMoon-B Video.exe with 222.35.137.193 from masao_tomikawas@yahoo.com 2/1/2010 2:43 AM

This is just an exe (PE32 executable for MS Windows) in zip archive. From China and connecting back to China. Not very creative.

Download Video.exe as a password protected archive (please contact me if you need the password)




From: masao_tomikawas@yahoo.com [mailto:masao_tomikawas@yahoo.com]
Sent: Monday, February 01, 2010 2:43 AM
To: 
Subject: Press(Quake aid starts to arrive for desperate Haitians)
 

PORT-AU-PRINCE, Haiti (AP) - Desperately needed aid from around the world slowly made its way Thursday into Haiti, where supply bottlenecks and a leadership vacuum left rescuers scrambling on their own to save the trapped and injured and get relief supplies into the capital.
..............

see the full text in the end of the post

Headers
Received: (qmail 17548 invoked from network); 1 Feb 2010 07:43:09 -0000
Received: from unknown (HELO fisherxp-pc.domain) (218.67.128.26)
  by XXXXXXXXXXXXXX SMTP; 1 Feb 2010 07:43:09 -0000
Received: from 1428151.com ([127.0.0.1]) by 1428151.com ([127.0.0.1]) with SMTPSVC;
     Mon, 01 Feb 2010 15:43:07 +0800
Message-ID: <6dd17374c7e8d17543324b690c0db2e7@yahoo.com>
From:
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?gb2312?B?UHJlc3MoUXVha2UgYWlkIHN0YXJ0cyB0byBhcnJpdmUgZm9yIGRlcw==?=
    =?gb2312?B?cGVyYXRlIEhhaXRpYW5zKQ==?=
Date: Mon, 01 Feb 2010 15:43:07 +0800

      Hostname:    218.67.128.26
      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      City:    Tianjin


Wednesday, February 3, 2010

Feb 3 CVE-2009-0927 Former Minister of Finance Paulson's comments on Obama's $3.8 trillion budget from Simonbaker@aol.com

Download 2366453EE94A7BA4D296FA4E710ED805-CommentsOnObama2010budget as password protected archive (please contact me if you need the password)

From: Simon Baker [mailto:Simonbaker@aol.com]
Sent: Wednesday, February 03, 2010 10:04 PM
Subject: Former Minister of Finance Paulson's comments on Obama's $3.8 trillion budget

Hi,

If you have read Paulson's comments, you know how ridiculous Obama's $3.8 trillion budget is.
Please do not vote for members of support budget in November's elections.

Best regards

Virustotal
http://www.virustotal.com/analisis/783a6934a1c12c31f874f8246aa44c07d010480546bcb263fb3f090337a6874a-1266495353
 File CommentsOnObama2010budget.pdf received on 2010.02.18 12:15:53 Result: 18/41 (43.91%)
a-squared    4.5.0.50    2010.02.18    Exploit.Win32.Pidief!IK
AhnLab-V3    5.0.0.2    2010.02.17    PDF/Exploit
AntiVir    8.2.1.170    2010.02.18    HTML/Silly.Gen
Antiy-AVL    2.0.3.7    2010.02.18    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.02.18    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.02.18    JS:Pdfka-ME
BitDefender    7.2    2010.02.18    Exploit.PDF-JS.Gen
ClamAV    0.96.0.0-git    2010.02.18    Exploit.PDF-11669
Comodo    3980    2010.02.18    TrojWare.Win32.Exploit.Pidief.bxf
Kaspersky 7.0.0.125 Exploit.Win32.Pidief.bxf

eSafe    7.0.17.0    2010.02.17    PDF.Exploit
F-Secure    9.0.15370.0    2010.02.18    Exploit.PDF-JS.Gen
GData    19    2010.02.18    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.02.18    Exploit.Win32.Pidief
McAfee-GW-Edition    6.8.5    2010.02.18    Script.Silly.Gen
Sophos    4.50.0    2010.02.18    Troj/PDFJS-BX
Sunbelt    5684    2010.02.18    Exploit.PDF.Pidief (v)
VirusBuster    5.0.27.0    2010.02.18    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: 2366453ee94a7ba4d296fa4e710ed805



Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=2366453ee94a7ba4d296fa4e710ed805&type=js
 File    CommentsOnObama2010budget.pdf
MD5    2366453ee94a7ba4d296fa4e710ed805
Analysis Started    2010-02-18 04:18:06
Report Generated    2010-02-18 04:21:39
Jsand 1.02.02    malicious
Adobe getIcon    Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object    CVE-2009-0927




Feb. 3 CVE-2009-4324 Maritime Disputes in East Asia from wozniak@yahoo.com 03 Feb 2010 05:19:02 PST


Download 1f2cc9238129512c6f118ffdfec79189 - East China Sea 2010-1.pdf as a password protected archive (please contact me if you need the password)

Details: 1f2cc9238129512c6f118ffdfec79189 -  East China Sea 2010-1.pdf

From: Natalie S. Wozniak [mailto:natalies.wozniak@yahoo.com]
Sent: Wednesday, February 03, 2010 8:56 AM
Subject: Maritime Disputes in East Asia

Colleague,

I was able to secure permission to forward you the attached CRS report on Maritime Disputes in East Asia; just came out today. They intentionally kept it short report, in hopes that it would increase its readership. 

Please share with your colleagues. Also, please share their comments, observations and questions.

Best,

Natalie

Headers
Message-ID: <242520.45817.qm@web114111.mail.gq1.yahoo.com>
 ....
Received: from [69.197.151.114] by web114111.mail.gq1.yahoo.com via HTTP; Wed, 03 Feb 2010 05:19:02 PST
X-Mailer: YahooMailRC/272.7 YahooMailWebService/0.8.100.260964
Date: Wed, 3 Feb 2010 05:19:02 -0800 (PST)
From: "Natalie S. Wozniak"
Subject: Maritime Disputes in East Asia
To: XXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-410636181-1265203142=:45817"
  

Lookup IP Address: 69.197.151.114
General Information
Hostname: server.gvd.tw
ISP: WholeSale Internet
Organization: Max Dmitry
Country: United States  
State/Region: MO
City: Kansas City