Friday, April 23, 2010

Apr 23 Link HTA w Trojan:Win32/Tapaoux.A download

Malicious HTA file in hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta
 downloads additional malware wincfg.exe Trojan:Win32/Tapaoux.A

Download   



From: Richard Wilson [mailto:richard.wilson34@hotmail.com]
Sent: Friday, April 23, 2010 7:52 AM
To: XXXXXXXXXX
Subject: Obama's New Nuclear Policies: A Step in the Right Direction


Obama's New Nuclear Policies: A Step in the Right Direction

Arms Control, Nuclear Weapons, Nonproliferation, Defense
Michael E. O'Hanlon, Director of Research and Senior Fellow, Foreign Policy

The Brookings Institution

    Documents View   (Acrobat Version 9.0 or less)




Headers
Received: from BLU139-W28 ([65.55.111.137]) by blu0-omc4-s33.blu0.hotmail.com
 with Microsoft SMTPSVC(6.0.3790.3959);     Fri, 23 Apr 2010 04:52:29 -0700
Message-ID:
Return-Path: richard.wilson34@hotmail.com
Content-Type: multipart/alternative;
    boundary="_f03abef7-5a0c-4660-b04a-387c90937f45_"
X-Originating-IP: [123.125.156.137]
From: Richard Wilson

http://www.robtex.com/ip/123.125.156.137.html#blacklists 
http://www.robtex.com/ip/123.125.156.137.html#whoisinetnum: 123.112.0.0 - 123.127.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN
person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: abuse@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: abuse@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: sun ying
address: fu xing men nei da jie 97, Xicheng District
address: Beijing 100800
country: CN
phone: +86-10-66030657
fax-no: +86-10-66078815
e-mail: hostmast@publicf.bta.net.cn
nic-hdl: SY21-AP
mnt-by: MAINT-CNCGROUP-BJ
changed: suny@publicf.bta.net.cn 19980824
changed: hm-changed@apnic.net 20060717
changed: hostmast@publicf.bta.net.cn 20090630
source: APNIC



 Virustotal
 A Step in the Right Direction.hta from hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta
http://www.virustotal.com/analisis/746e8ea808d2fa9c51e72f25a84c0924ecddc4b82ee3efae122e27158b1b2c2e-1272024139
 File A_20Step_20in_20the_20Right_20Dir  received on 2010.04.23 12:02:19 (UTC)
Current status: finished
Result: 0/40 (0.00%)
Additional information
File size: 198809 bytes
MD5   : bccca07e2147be4cf30e73a6714d8c38



From  A Step in the Right Direction.hta -  Shellcode 2 exe (sandsprite.com) results 
 shellcode.exe
File shellcode.exe received on 2010.04.24 17:18:13 (UTC)
Current status: finished
Result: 14/40 (35.00%)
AntiVir     8.2.1.224     2010.04.23     PCK/Dumped
Authentium     5.2.0.5     2010.04.24     W32/SmallTrojan.M.gen!Eldorado
AVG     9.0.0.787     2010.04.24     Agent_r.OV
CAT-QuickHeal     10.00     2010.04.23     (Suspicious) - DNAScan
Comodo     4676     2010.04.24     TrojWare.Win32.TrojanDownloader.Small.~AOLO
F-Prot     4.5.1.85     2010.04.24     W32/SmallTrojan.M.gen!Eldorado
Jiangmin     13.0.900     2010.04.24     Trojan/Agent.ckpb
Kaspersky     7.0.0.125     2010.04.24     Trojan-Downloader.Win32.Small.aolo
McAfee     5.400.0.1158     2010.04.24     Generic Downloader.fa
McAfee-GW-Edition     6.8.5     2010.04.23     Packer.Dumped
Microsoft     1.5703     2010.04.24     TrojanDownloader:Win32/Sileco.A
TheHacker     6.5.2.0.268     2010.04.23     Trojan/Downloader.Small.aolo
TrendMicro     9.120.0.1004     2010.04.24     TROJ_SMALL.SMJ2
Additional information
File size: 102994 bytes

MD5   : 9b41c8a47770bb3f8ff5f76aad49c84f


wincfg.exe from hxxp://report-inshop.com/policies/wincfg.exe - see wireshark screenshot above
  File wincfg.exe received on 2010.04.24 16:44:33 (UTC)
Result: 1/40 (2.50%)
Microsoft     1.5703     2010.04.24     Trojan:Win32/Tapaoux.A
File size: 357344 bytes
MD5   : 1971ee25847d246116835c7157cf7f89


Anubis report http://anubis.iseclab.org/?action=result&task_id=1a1a33275cdb76c24b932808a50af114f

Virustotal
April 07.pdf from hxxp://report-inshop.com/policies/April%2007.pdf
http://www.virustotal.com/analisis/f48bf933148dff98c92d4f64b9b735d381db6fb45390091613ab9c4f90b25f09-1272126805
 File April_07.pdf received on 2010.04.24 16:33:25 (UTC)
Result: 0/40 (0.00%)
Additional information
File size: 46135 bytes
MD5   : 19a08f48d71044e0a4091ef4a4e16131

Traffic wincfg.exe - by Anubis

    DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ www.microsoft.com ], Query Type: [ DNS_TYPE_A ],
            Query Result: [  ], Successful: [ YES ], Protocol: [ udp ]
        Name: [ hummfoundation.org ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 124.217.226.220 ], Successful: [ YES ], Protocol: [ udp ]
[=============================================================================]
    Global Network Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1038 to 124.217.226.220:80 - [ hummfoundation.org ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]
             Request: [ GET /on/yahoo/banner4.php?jpg=../yahoo ], Response: [ 200 "OK" ]
             Request: [ GET /on/yahoo/banner3.php?jpg=../(LQAhZ2Uy ], Response: [ ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    TCP Connection Attempts:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        From ANUBIS:1039 to 124.217.226.220:80
        From ANUBIS:1040 to 124.217.226.220:80
        From ANUBIS:1041 to 124.217.226.220:80
        From ANUBIS:1043 to 124.217.226.220:80
        From ANUBIS:1044 to 124.217.226.220:80

Robtex.com
124.217.226.220
bidor.net, skyll.net, qcs.com.my, niceugg.net, jadi.com.my and at least 51 other hosts point to 124.217.226.220.
It is blacklisted in one list. 
 
 http://www.robtex.com/ip/124.217.226.220.html
 inetnum: 124.217.224.0 - 124.217.255.255
netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC
 

No comments:

Post a Comment