Saturday, March 27, 2010

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from kevin.bohn33@hotmail.com

Malicious link  hxxp://spot-news.com/test/test.html (still active on March 27, 2010) -  Internet Explorer Zero day exploit

Download  043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files






    From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
    Sent: Saturday, March 27, 2010 7:35 AM
    To: XXXXXXXXXXX
    Subject: Dozens missing after ship sinks near North Korea


    Dozens missing after ship sinks near North Korea
    a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

    Detail Story   http://www.mofat.go.kr/press/breifing
    _______________________________________
    Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.


    Headers
    Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com
     with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700
    Message-ID:
    Return-Path: kevin.bohn33@hotmail.com
    Content-Type: multipart/alternative;
        boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"
    X-Originating-IP: [123.125.156.151]
    From: Kevin Bohn
    Sender ip info 
          Hostname:    123.125.156.151
          ISP:    China Unicom Beijing Province Network
          Organization:    China Unicom Beijing Province Network
          Proxy:    Suspected network sharing device.
          Country:    China
          State/Region:    Beijing
          City:    Beijing



    Site host info from robtex.com hxxp://spot-news.com/test/test.html
    124.217.255.232 
    Hostname: 124.217.255.232
    ISP: PIRADIUS NET
    Organization: PIRADIUS NET
    Country: Malaysia
    State/Region: Johor
    City: Johor Bahru
    Exploit info
    Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect

    hxxp://spot-news.com/test/test.html 


    Tested on Windows XP SP2 Internet Explorer  7

    The following files were created:

    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm
    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

    Virustotal
    test.htm
    File test.htm received on 2010.03.27 21:26:17 (UTC)
    Result: 3/42 (7.14%)
    Print results Print results
    AVG     9.0.0.787     2010.03.27     Script/Exploit
    Microsoft     1.5605     2010.03.27     Exploit:JS/CVE-2010-0806
    Sunbelt     6101     2010.03.26     Trojan.JS.BOFExploit (v)


    winint32.exe
      File winint32.exe received on 2010.03.27 21:29:06 (UTC)
    Result: 3/42 (7.15%)
    Microsoft    1.5605    2010.03.27    Trojan:Win32/Tapaoux.A
    Panda    10.0.2.2    2010.03.27    Suspicious file
    Symantec    20091.2.0.41    2010.03.27    Suspicious.Insight
    File size: 357344 bytes
    MD5...: 043d308bfda76e35122567cf933e1b2a


    Anubis Report



    No comments:

    Post a Comment