Thursday, September 9, 2010

Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96



CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.


Download  as a password protected archive with the original PDf and analysis files/dropped binaries (contact me if you need the password)


-----Original Message-----
From: Henry J. Aaron [mailto:henryAron@brookings.org]
Sent: Thursday, September 09, 2010 9:38 AM
To: XXXXXXXXX
Subject: FW: U.S. economy slips to 4th in WEF's competitiveness rankings

To whom it may concern.

Henry J. Aaron

Senior Fellow, Economic Studies

The Brookings Institution
Headers
Received: (qmail 12137 invoked from network); 9 Sep 2010 13:43:33 -0000
Received: from h96-210-64-253.seed.net.tw (HELO brookings.org) (210.64.253.96)
  by XXXXXXXXXXXX with SMTP; 9 Sep 2010 13:43:33 -0000
From: "Henry J. Aaron"
Subject: FW: U.S. economy slips to 4th in WEF's competitiveness rankings
To: XXXXXXX
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="US-ASCII"
MIME-Version: 1.0
Reply-To: h.swain65@yahoo.com
Date: Thu, 9 Sep 2010 21:37:54 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2615.200

210.64.253.96

Hostname:    h96-210-64-253.seed.net.tw
ISP:    Digital United Inc.
Organization:    Seednet-TaipeiDP-S
State/Region:    T'ai-pei
City:    Taipei

CVE-2009-4324
CVE-2010-1297
CVE-2009-0927
http://wepawet.cs.ucsb.edu/view.php?hash=47a46ba2220cf6368eb0d42d8a6d40e3&type=js




Created files

%tmp%\Report.pdf
%tmp%p\Updater.exe
%tmp%\vcmdbg.dll


Updater.exe is digitally signed with Foxit signature from Thawte. It is expired but it is still interesting.


Installed service
Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Parameters
Class Name:       
Last Write Time:   9/12/2010 - 10:27 PM
Value 0
  Name:            ServiceDll
  Type:            REG_EXPAND_SZ
  Data:            C:\DOCUME~1\[username]\LOCALS~1\Temp\vcmdbg.dll


 File name:
http://www.virustotal.com/file-scan/report.html?id=0852babea3277655fafd3bfbf011fc02047935f4f812136322615d37230d81f0-1284354179
vcmdbg.dll
Result:
7 /43 (16.3%)
AVG     9.0.0.851     2010.09.13     Small.CDB
BitDefender     7.2     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Comodo     6062     2010.09.13     TrojWare.Win32.PSW.Kates.ABC
F-Secure     9.0.15370.0     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
GData     21     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Norman     6.06.06     2010.09.12     W32/Suspicious_Gen2.BIWYN
nProtect     2010-09-12.01     2010.09.12     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm

Additional information
Show all
MD5   : 2185845c8489e637d963217d4f35842e


File name:
Updater.exe

http://www.virustotal.com/file-scan/report.html?id=8c3d2da8da3976c392fc361701d5022a48e1adf7d209618cf92a986e92844a02-1284349980
11 /43 (25.6%)
AntiVir     8.2.4.50     2010.09.12     BDS/Delf.ukq.4
Antiy-AVL     2.0.3.7     2010.09.13     Backdoor/Win32.Delf
Ikarus     T3.1.1.88.0     2010.09.13     Trojan-Dropper.Delf
Jiangmin     13.0.900     2010.09.12     Backdoor/Delf.wee
Kaspersky     7.0.0.125     2010.09.13     Backdoor.Win32.Delf.ukq
McAfee     5.400.0.1158     2010.09.13     Artemis!123C5E06A889
McAfee-GW-Edition     2010.1B     2010.09.12     Artemis!123C5E06A889
nProtect     2010-09-12.01     2010.09.12     Backdoor/W32.Agent.52992.B
Panda     10.0.2.7     2010.09.12     Suspicious file
TheHacker     6.7.0.0.016     2010.09.12     Backdoor/Delf.ukq
TrendMicro-HouseCall     9.120.0.1004     2010.09.13     -
VBA32     3.12.14.0     2010.09.08     Backdoor.Win32.Delf.ukq
Additional information
Show all
MD5   : 123c5e06a889925ec688440bc13dd572


traffic to 202.67.231.251:443
 Hostname:    202.67.231.251
ISP:    HKNet Company Ltd.
Organization:    HKNet Company Limited
Country:    Hong Kong
 City:    Kwai Chung


Strings from 
File: vcmdbg.dll
MD5:  2185845c8489e637d963217d4f35842e
Size: 29184

Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache 



No comments:

Post a Comment