Tuesday, February 23, 2010

Feb 20 CVE-2006-2492 MS Word w Trojan.Buzus.U Mainland Affairs Council list of the week itinerary from

Download 20100214陸委楔@週活動一覽表(新增).doc as a password protected archive (please contact me if you need the password)

Details D05E0400B62687B5796C5D1B5CCDF6EE -- 20100214陸委楔@週活動一覽表(新增).doc

Update March 3, 2010  Abhishek Lyall (thank you!) provided additional details for this sample:
"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010.  The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0"  but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."

Analysis of the binary 
096239F5CF4E1255634F3F2E7DE8824E - WinHttp.exe 23,664 bytes
1796E908A782FBB445C96D88F4B84D9D original.doc 45056 bytes
 as a password protected archive (please contact me if you need the password)

From: macnews []
Sent: Saturday, February 20, 2010 10:49 PM
Subject: 陸委會一週行程一覽表

附件檔為陸委會一週行程一覽表(新增2/17賴主委行程)新聞參考資料,  提供您參考!

行政院大陸委員會聯絡處 敬上

Google Translate
From: macnews [mailto:]Sent: Saturday, February 20, 2010 10:49 PMTo: XXXXXXXXXXXXXXXXXSubject: MAC list of the week itineraryHello!Attachment file for the Mainland Affairs Council, a list of one week trip (new 2 / 17 Lai, chairman of the stroke) news references for your reference!
Sincerely, the Executive Yuan's Mainland Affairs Council Liaison Office

Received: from CC-8575FC5050CF ( [])
    by (8.9.3/8.9.3) with SMTP id LAA27251
    for  XXXXXXXXXXXXX   Sun, 21 Feb 2010 11:50:19 +0800 (CST)
From: "macnews"
Subject: =?BIG5?B?s7CpZbd8pEC2Z6bmtXukQMT9qu0=?=
Date: Sun, 21 Feb 2010 11:48:35 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-Mailer: OutLook
HiNet Chunghwa Telecom Co., Ltd. Data Communication Business Group (HiNet)inetnum: -
descr: International Changhua Society Educate Nantou Society Educate Workstation
descr: Nantou City County Taiwan
country: TW
admin-c: GRC2-TW
tech-c: GRC2-TW
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at
changed: 20011002
source: TWNIC

Analysis screenshot by Abhishek Lyall

Result: 11/41 (26.83%)

a-squared    2010.02.23    Trojan-Dropper.MSWord.Agent!IK
Authentium    2010.02.23    MSWord/Dropper.B!Camelot
BitDefender    7.2    2010.02.23    Exploit.MSWord.Ginwui.Gen
eTrust-Vet    35.2.7321    2010.02.23    W97M/MS03-050!exploit
F-Prot    2010.02.22    CVE-2006-2492
F-Secure    9.0.15370.0    2010.02.23    Exploit.MSWord.Ginwui.Gen
GData    19    2010.02.23    Exploit.MSWord.Ginwui.Gen
Ikarus    T3.    2010.02.23    Trojan-Dropper.MSWord.Agent
Kaspersky    2010.02.23
nProtect    2009.1.8.0    2010.02.23    Exploit.MSWord.Ginwui.Gen
Rising    2010.02.11    Hack.Exploit.Win32.Agent.piq
File size: 94224 bytes
MD5...: d05e0400b62687b5796c5d1b5ccdf6ee

Shellcode detected at 10240 479 bytes
Embedded Executable: LoadLibraryA [31932]
Embedded Executable: GetModuleHandleA [31948]
Embedded Executable: GetProcAddress [31900]
Embedded Executable: user32.dll [32076]
Embedded Executable: KERNEL32 [32036]
Embedded Executable: ExitProcess [31918]

Processing "/home/vicheck/viruses/d05e0400b62687b5796c5d1b5ccdf6ee.virus":
# Microsoft Office Word �ĵ� (MSWordDoc, 31.10.2007 01:18:10, rev 18�)
  Title: ���
  Authress: 11� (former: test���)
  Organization: ss�
  Application: Microsoft Office Word��
  Created: 25.1.2006 08:30:00
  Last saved: 31.10.2007 01:18:00

No comments:

Post a Comment