Thursday, June 24, 2010

Jun 17 Win XP (SP2, SP3) 0-Day - CVE-2010-1885 Samples and analysis links

Image from Trendlabs malware blog


Download CVE-2010-1885 files listed below as a password protected archive (contact me if you need the password)


 File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared     5.0.0.30     2010.06.24     Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
AntiVir     8.2.4.2     2010.06.23     EXP/CVE-2010-1885
Avast     4.8.1351.0     2010.06.23     HTML:CVE-2010-1885-A
Avast5     5.0.332.0     2010.06.23     HTML:CVE-2010-1885-A
AVG     9.0.0.836     2010.06.23     Generic2_c.AMOL
BitDefender     7.2     2010.06.24     Exploit.CVE-2010-1885.A
CAT-QuickHeal     10.00     2010.06.23     HCP/CVE-2010-1885
Comodo     5198     2010.06.23     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.06.24     Exploit.Hcp
eSafe     7.0.17.0     2010.06.23     Win32.Exploit.HelpOv
eTrust-Vet     36.1.7663     2010.06.24     HTML/HCP.A
F-Secure     9.0.15370.0     2010.06.24     Exploit.CVE-2010-1885.A
GData     21     2010.06.24     Exploit.CVE-2010-1885.A
Ikarus     T3.1.1.84.0     2010.06.24     Exploit.Win32.CVE-2010-1885
Kaspersky     7.0.0.125     2010.06.24     Exploit.HTML.CVE-2010-1885.a
McAfee     5.400.0.1158     2010.06.24     Exploit-HelpOverflow
McAfee-GW-Edition     2010.1     2010.06.23     Exploit-HelpOverflow
Microsoft     1.5902     2010.06.23     Exploit:Win32/CVE-2010-1885.A
NOD32     5223     2010.06.23     HTML/Exploit.CVE-2010-1885
nProtect     2010-06-23.02     2010.06.23     Exploit.CVE-2010-1885.A
PCTools     7.0.3.5     2010.06.24     Exploit.CVE_2010_1885
Sophos     4.54.0     2010.06.24     Mal/HcpExpl-A
Sunbelt     6498     2010.06.24     Exploit.HTML.HCP.a (v)
Symantec     20101.1.0.89     2010.06.24     Bloodhound.Exploit.337
TrendMicro     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
ViRobot     2010.6.21.3896     2010.06.24     JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5   : 62f4daf19da62595609d6a0c0089fcac





2
 File e2.ph.-n received on 2010.06.24 05:07:27 (UTC)
Result: 10/41 (24.39%)
a-squared     5.0.0.30     2010.06.24     Win32.SuspectCrc!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
AntiVir     8.2.4.2     2010.06.23     JS/Dldr.Agent.ags
AVG     9.0.0.836     2010.06.23     JS/Generic
Ikarus     T3.1.1.84.0     2010.06.24     Win32.SuspectCrc
McAfee-GW-Edition     2010.1     2010.06.23     Heuristic.LooksLike.JS.Suspicious.B
Microsoft     1.5902     2010.06.23     TrojanDownloader:JS/Adodb.F
Sunbelt     6498     2010.06.24     Exploit.HTML.HCP.a (v)
TrendMicro     9.120.0.1004     2010.06.24     JS_HCPDL.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     JS_HCPDL.A

File size: 495 bytes
MD5   : 61fc2470c3bb88f5128e4ff56f205f45


File hcpexp-a.ht.-n1 received on 2010.06.24 12:00:04 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/41 (17.08%)
a-squared    5.0.0.30    2010.06.24    Win32.SuspectCrc!IK
AhnLab-V3    2010.06.24.00    2010.06.24    Exploit/Cve-2010-1885
Ikarus    T3.1.1.84.0    2010.06.24    Win32.SuspectCrc
Sophos    4.54.0    2010.06.24    Mal/HcpExpl-A
Sunbelt    6499    2010.06.24    Exploit.HTML.HCP.a (v)
TrendMicro    9.120.0.1004    2010.06.24    JS_HCPDL.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.24    JS_HCPDL.A

File size: 609 bytes
MD5...: 54cbf8255f2074d69ada2a20733412c5



http://www.virustotal.com/analisis/ef9da9a7b03e897e8f586b7a5a2274a0f678adb22ea6d04af3c488d9f7a8c80e-1277381519
 File hcpexp-b.ht.-n2 received on 2010.06.24 12:11:59 (UTC)
Result: 25/40 (62.50%)
a-squared     5.0.0.30     2010.06.24     Exploit.HTML.HCP!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
Avast     4.8.1351.0     2010.06.24     HTML:CVE-2010-1885-A
Avast5     5.0.332.0     2010.06.24     HTML:CVE-2010-1885-A
BitDefender     7.2     2010.06.24     Exploit.CVE-2010-1885.C
CAT-QuickHeal     10.00     2010.06.24     HCP/CVE-2010-1885
Comodo     5202     2010.06.24     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.06.24     Exploit.Hcp
F-Secure     9.0.15370.0     2010.06.24     Exploit.CVE-2010-1885.C
GData     21     2010.06.24     Exploit.CVE-2010-1885.C
Ikarus     T3.1.1.84.0     2010.06.24     Exploit.HTML.HCP
Kaspersky     7.0.0.125     2010.06.24     Exploit.HTML.HCP.a
McAfee     5.400.0.1158     2010.06.24     Exploit-CVE2010-1885
McAfee-GW-Edition     2010.1     2010.06.24     Exploit-CVE2010-1885
Microsoft     1.5902     2010.06.24     Exploit:Win32/CVE-2010-1885.A
NOD32     5224     2010.06.24     HTML/Exploit.CVE-2010-1885
Norman     6.05.10     2010.06.24     Exploit/CVE-2010-1885
nProtect     2010-06-24.01     2010.06.24     Exploit.CVE-2010-1885.C
PCTools     7.0.3.5     2010.06.24     HeurEngine.MaliciousExploit
Sophos     4.54.0     2010.06.24     Mal/HcpExpl-A
Sunbelt     6499     2010.06.24     Exploit.HTML.HCP.a (v)
Symantec     20101.1.0.89     2010.06.24     Bloodhound.Exploit.337
TrendMicro     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
ViRobot     2010.6.21.3896     2010.06.24     JS.S.Exploit.861

Additional information
File size: 861 bytes
MD5   : 2a8dd61b35b9426412b9d373daabae79

simple.asx
 http://www.virustotal.com/analisis/65267e27757a91f370cc6866b5b31d84908b6a23ef9ca7e3bfdb54715f44dbdc-1277381067
File simple.as.-n received on 2010.06.24 12:04:27 (UTC)
Result: 4/41 (9.76%)
a-squared     5.0.0.30     2010.06.22     JS.Downloader.Agent!IK
AntiVir     8.2.2.6     2010.06.21     JS/Dldr.Agent.AGS.4
Ikarus     T3.1.1.84.0     2010.06.22     JS.Downloader.Agent
Sunbelt     6483     2010.06.21     Exploit.HTML.HCP.a (v)

Additional information
File size: 216 bytes
MD5   : 91bf808b33ee7a0f928b53b3a75c7670


6.  http://www.virustotal.com/analisis/f85699a40c6b094e86f4d43c0b46966f0c09aba71b6d525287c74093cb04e7f5-1277381258
 File test.js.-n received on 2010.06.24 12:07:38 (UTC)
Result: 12/41 (29.27%)
a-squared     5.0.0.30     2010.06.22     Win32.SuspectCrc!IK
AhnLab-V3     2010.06.22.00     2010.06.22     Exploit/Cve-2010-1885
AntiVir     8.2.2.6     2010.06.21     JS/Dldr.Agent.AGS.3
AVG     9.0.0.787     2010.06.21     Generic2_c.ANAY
Ikarus     T3.1.1.84.0     2010.06.22     Win32.SuspectCrc
McAfee-GW-Edition     2010.1     2010.06.22     Heuristic.LooksLike.JS.Suspicious.B
Microsoft     1.5902     2010.06.22     TrojanDownloader:JS/Adodb.G
nProtect     2010-06-21.01     2010.06.21     Script/W32.Agent.HN
Sunbelt     6483     2010.06.21     Exploit.HTML.HCP.a (v)
TrendMicro     9.120.0.1004     2010.06.22     JS_HCPDL.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.22     JS_HCPDL.A
ViRobot     2010.6.21.3896     2010.06.22     JS.S.Exploit.794
Additional information
File size: 794 bytes
MD5   : 1682de49b9eafddbec850d1f282caf8d












7. o.exe (not available for download, sorry)
http://www.virustotal.com/analisis/5f85962f028ab06d02afb71ed6080dd57502ae58a00b6678dc10e1c6b94b6c6e-1276598854
or
http://www.virustotal.com/analisis/5f85962f028ab06d02afb71ed6080dd57502ae58a00b6678dc10e1c6b94b6c6e-1276650904
 File o.exe received on 2010.06.15 10:47:34 (UTC)
Result: 2/41 (2.44%)
DrWeb     5.0.2.03300     2010.06.15     SCRIPT.Virus
Sophos     4.54.0     2010.06.16     Troj/Drop-FS
Additional information
File size: 13193076 bytes
MD5   : a2f8bafef7c0d3af2bd54466b3ec2fb2


No comments:

Post a Comment