Wednesday, March 10, 2010

Mar 10 CVE-2010-0188 PDF March Luncheon Invitation_FINAL from ikhtnamzels@yahoo.com

Expect code is this file to be different from code in invitation.pdf described in Mar 9. CVE-2010-0188 PDF+ exploit demo. Formal invitation letter ..


From: Isidore Klinkenborg [mailto:ikhtnamzels@yahoo.com]
Sent: Wednesday, March 10, 2010 5:34 AM
To: MKoehler-Vice President Office Marc
Subject: 2010 March Luncheon Invitation_FINAL

attached is the copy of the formal invitation letter and response card.
Meanwhile We have send you the formal invitation letter by post
according to your correspondence address. Please check your mailbox in the
next few days.

Sincerely yours
Isidore





Virustotal scans - see dynamics from 0 to 8 over the course of 7 days

March 10 
Result: 0/42 (0.00%)
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268219156

March 11
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268311817
File 2010_March_Luncheon_Invitation_FI  received on 2010.03.11 12:50:17 (UTC)
Result: 1/42 (2.38%)
Symantec     20091.2.0.41     2010.03.11     Trojan.Pidief.I
File size: 162579 bytes
MD5   : 3639f34ad463932ab8ebad3e57421a97
SHA1  : 1a8a44c122449cf586419cfc5d6f36093e175037

Update: March 17
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268854486
 File 2010_March_Luncheon_Invitation_FI  received on 2010.03.17 08:04:19 (UTC)
Result: 8/42 (19.05%)
AhnLab-V3     5.0.0.2     2010.03.16     PDF/Exploit
AntiVir     8.2.1.180     2010.03.16     EXP/Pidief.dbj
eTrust-Vet     35.2.7368     2010.03.17     PDF/Pidief.PU
Kaspersky     7.0.0.125     2010.03.17     Exploit.Win32.Pidief.dbi
McAfee-GW-Edition     6.8.5     2010.03.16     Exploit.Pidief.dbj
Microsoft     1.5605     2010.03.17     Exploit:Win32/Pdfjsc.gen!B
Sophos     4.51.0     2010.03.17     Troj/PDFJs-II
Symantec     20091.2.0.41     2010.03.17     Trojan.Pidief.I
File size: 162579 bytes
MD5   : 3639f34ad463932ab8ebad3e57421a97

 Relevant Header info
Received: from [222.122.12.31] by web114207.mail.gq1.yahoo.com via HTTP; Wed, 10 Mar 2010 02:34:05 PST
X-Mailer: YahooMailRC/300.3 YahooMailWebService/0.8.100.260964


Robtex.com

google-analyt1cs.com point to 222.122.12.31. It is blacklisted in five lists. 
      Hostname:    222.122.12.31
      ISP:    Korea Telecom
      Organization:    Korea Telecom
      Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Neeraj from Hypersecurity blog made an analysis of this sample -
CVE-2010-0188 Adobe Reader TIFF vulnerability

No comments:

Post a Comment