Thursday, March 25, 2010

Mar 25 CVE-2010-0188 PDF Re: conference memo from

Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

This is a fake conversation - it is a semi interesting social engineering trick.
From: Lee []
Sent: Thursday, March 25, 2010 11:11 PM
Subject: Re: conference memo

Who are you?What do you mean?.This conference memo  is nothing with me.

On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.


Virustotal report
 File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
Result: 4/42 (9.53%)
F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
PCTools    2010.03.28    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
File size: 76137 bytes
MD5...: c9c89ebc508c783defe7042eb9c0e5cc

parsed with  

Tested on Windows XP SP2, Adobe Reader 9.3.0

The following files were creaed
%Temp%\conference memo.PDF --- 648b226141fe0304838a6ffc2f2332d0 41094 bytes
%Temp%\temp.tmp -- 3fbd522785b2a14135ab516fb3026c9e  24064 bytes
%Temp%\xxx.exe  ---  91c0a14b4eaa604c7c1b2ca5252c1941 40750 bytes
%Temp%\~.exe- -- 4bcfd4e7b25eab26bca0df684e66603a  31744 bytes

Temp.tmp is injected in explorer.exe
File xxx.exe received on 2010.03.28 15:38:47 (UTC)
Result: 2/42 (4.77%)
Panda 2010.03.28 Suspicious file
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 40750 bytes
MD5...: 91c0a14b4eaa604c7c1b2ca5252c1941
File temp.tmp received on 2010.03.28 15:38:25 (UTC)
Result: 3/42 (7.15%)
AntiVir 2010.03.26 HEUR/Malware
McAfee-GW-Edition 6.8.5 2010.03.27 Heuristic.BehavesLike.Win32.Keylogger.L
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 24064 bytes
MD5...: 3fbd522785b2a14135ab516fb3026c9e

File conference_memo.PDF received on 2010.03.28 15:38:56 (UTC)  - this is a clean pdf
File size: 41094 bytes
MD5...: 648b226141fe0304838a6ffc2f2332d0
File _.exe received on 2010.03.28 15:38:38 (UTC)
Result: 2/42 (4.77%)
Sophos 4.52.0 2010.03.28 Mal/Behav-053  - see it on Threatexpert -just different md5
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 31744 bytes
MD5...: 4bcfd4e7b25eab26bca0df684e66603a

Network Activities of _.exe
DNS Queries:
Query Result:
HTTP Conversations:
GET /xiazai/Rtservera.exe ], Response: [ ]

Full Anubis report of _.exe: info on
      ISP:    China Network Information Center
      Organization:    Beijing Neteon Tech Co, Ltd.
      Assignment:    Static IP
      State/Region:    Beijing
      City:    Beijing
      Longitude:    116.3883,,,, and at least eleven other hosts point to It is blacklisted in one list.

No comments:

Post a Comment