Tuesday, June 22, 2010

Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy

Adobe will fix this vulnerability on June 29

Download   e3f5ef4fa17b4e08388ae4b0e2373728  100621.pdf  as a password protected archive (contact me if you need the password)



-----Original Message-----
From: 大川 正人 [mailto:maseto.okawa@cas.go.jp]
Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: 最近の日米経済関係について
Importance: High
......
�i‘ã•\�j03-5453-2111�i“à�ü�j82657
�i’¼’Ê�j03-3581-4445
�iFAX�j03-3581-5601
masato.okawa@cas.go.jp
=====================================
----- Original Message -----From: Ookawa Masato [mailto: maseto.okawa @ cas.go.jp]Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: About the recent US-Japan Economic RelationsImportance: High


 Headers
Received: from unknown (HELO cas.go.jp) (60.26.142.253)
Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
  with SMTP id 4C7BCC96; Mon, 21 Jun 2010 12:28:56 +0800
From: =?ISO-2022-JP?B?GyRCQmdAbiEhQDU/TRsoQg==?=
Subject: =?ISO-2022-JP?B?GyRCOkc2YSRORnxKRjdQOlE0WDc4JEskRCQkJEYbKEI=?=
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="iso-2022-jp"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: maseto.okawa@cas.go.jp
Date: Mon, 21 Jun 2010 12:29:29 +0800
X-Priority: 2
X-Mailer: Foxmail 4.1 [cn]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

 60.26.142.253
ISP:    China Unicom Tianjin province network
Organization:    China Unicom Tianjin province network
Type:    Broadband
Assignment:    Static IP
Country:    China cn flag
State/Region:    Tianjin       


     File 100621.pdf received on 2010.06.22 00:33:39 (UTC)
http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1277166819
Result: 9/41 (21.95%)
a-squared     5.0.0.30     2010.06.21     Exploit.JS.Pdfka!IK
AntiVir     8.2.2.6     2010.06.21     HTML/Malicious.PDF.Gen
BitDefender     7.2     2010.06.22     Exploit.PDF-JS.Gen
GData     21     2010.06.22     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.84.0     2010.06.21     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.21     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.21     JS.Pdfka.Gen.11
Additional information
File size: 969411 bytes
MD5   : e3f5ef4fa17b4e08388ae4b0e2373728      


Many thanks to JM for sharing the following information
Dropped files
100621.PDF (95210e66bc040ee0f6b5601390658007 – benign decoy, notice the size difference 105 kb
SUCHOST.EXE (abf8e40d7c99e9b3f515ec0872fe099e – 45k)  - appears to be Poison Ivy RAT

VT Result: 19/41 (46.34%)

SUCHOST.EXE
http://www.virustotal.com/analisis/8264a96a954c9a3f661bd21b9493377a710aaac1e96fe276d8d9095ea286c84a-1277147963
AhnLab-V3   2010.06.21.02     2010.06.21  Win-Trojan/Agent.45056.AMQ
Antiy-AVL   2.0.3.7     2010.06.18  Trojan/Win32.Agent.gen
Authentium  5.2.0.5     2010.06.21  W32/Trojan2.MIBZ
Avast 4.8.1351.0  2010.06.21  Win32:Malware-gen
Avast5      5.0.332.0   2010.06.21  Win32:Malware-gen
AVG   9.0.0.787   2010.06.21  Agent2.ALLE
BitDefender 7.2   2010.06.21  Trojan.Inject.XI
CAT-QuickHeal     10.00 2010.06.18  Trojan.Agent.dgqy
DrWeb 5.0.2.03300 2010.06.21  Trojan.Siggen1.43943
F-Prot      4.6.1.107   2010.06.20  W32/Trojan2.MIBZ
F-Secure    9.0.15370.0 2010.06.21  Trojan.Inject.XI
GData 21    2010.06.21  Trojan.Inject.XI
Jiangmin    13.0.900    2010.06.15  Trojan/Agent.cule
McAfee-GW-Edition 2010.1      2010.06.21  Heuristic.LooksLike.Trojan.Backdoor.Poison.I
Microsoft   1.5902      2010.06.21  Backdoor:Win32/Poison.AP
NOD32 5216  2010.06.21  a variant of Win32/Poison.NDQ
nProtect    2010-06-21.01     2010.06.21  Trojan/W32.Agent.45056.TM
Panda 10.0.2.7    2010.06.21  Suspicious file
ViRobot     2010.6.21.3896    2010.06.21  Trojan.Win32.Agent.45056.HO


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

No comments:

Post a Comment