Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

Download  as a password protected archive with the original PDf and analysis files/dropped binaries (contact me if you need the password)

-----Original Message-----
From: Henry J. Aaron [mailto:henryAron@brookings.org]
Sent: Thursday, September 09, 2010 9:38 AM
To: XXXXXXXXX
Subject: FW: U.S. economy slips to 4th in WEF's competitiveness rankings

To whom it may concern.

Henry J. Aaron

Senior Fellow, Economic Studies

The Brookings Institution

Headers

Received: (qmail 12137 invoked from network); 9 Sep 2010 13:43:33 -0000

Received: from h96-210-64-253.seed.net.tw (HELO brookings.org) (210.64.253.96)

  by XXXXXXXXXXXX with SMTP; 9 Sep 2010 13:43:33 -0000

From: "Henry J. Aaron"
Subject: FW: U.S. economy slips to 4th in WEF's competitiveness rankings
To: XXXXXXX
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="US-ASCII"
MIME-Version: 1.0
Reply-To: h.swain65@yahoo.com
Date: Thu, 9 Sep 2010 21:37:54 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.00.2615.200

210.64.253.96

Hostname:    h96-210-64-253.seed.net.tw
ISP:    Digital United Inc.
Organization:    Seednet-TaipeiDP-S
State/Region:    T'ai-pei
City:    Taipei

CVE-2009-4324

CVE-2010-1297

CVE-2009-0927
http://wepawet.cs.ucsb.edu/view.php?hash=47a46ba2220cf6368eb0d42d8a6d40e3&type=js

Created files

%tmp%\Report.pdf
%tmp%p\Updater.exe
%tmp%\vcmdbg.dll

Updater.exe is digitally signed with Foxit signature from Thawte. It is expired but it is still interesting.

Installed service
Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Parameters
Class Name:       
Last Write Time:   9/12/2010 - 10:27 PM
Value 0
  Name:            ServiceDll
  Type:            REG_EXPAND_SZ
  Data:            C:\DOCUME~1\[username]\LOCALS~1\Temp\vcmdbg.dll

 File name:
http://www.virustotal.com/file-scan/report.html?id=0852babea3277655fafd3bfbf011fc02047935f4f812136322615d37230d81f0-1284354179
vcmdbg.dll
Result:
7 /43 (16.3%)
AVG     9.0.0.851     2010.09.13     Small.CDB
BitDefender     7.2     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Comodo     6062     2010.09.13     TrojWare.Win32.PSW.Kates.ABC
F-Secure     9.0.15370.0     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
GData     21     2010.09.13     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Norman     6.06.06     2010.09.12     W32/Suspicious_Gen2.BIWYN
nProtect     2010-09-12.01     2010.09.12     Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm

Additional information
Show all
MD5   : 2185845c8489e637d963217d4f35842e

File name:
Updater.exe
http://www.virustotal.com/file-scan/report.html?id=8c3d2da8da3976c392fc361701d5022a48e1adf7d209618cf92a986e92844a02-1284349980
11 /43 (25.6%)
AntiVir     8.2.4.50     2010.09.12     BDS/Delf.ukq.4
Antiy-AVL     2.0.3.7     2010.09.13     Backdoor/Win32.Delf
Ikarus     T3.1.1.88.0     2010.09.13     Trojan-Dropper.Delf
Jiangmin     13.0.900     2010.09.12     Backdoor/Delf.wee
Kaspersky     7.0.0.125     2010.09.13     Backdoor.Win32.Delf.ukq
McAfee     5.400.0.1158     2010.09.13     Artemis!123C5E06A889
McAfee-GW-Edition     2010.1B     2010.09.12     Artemis!123C5E06A889
nProtect     2010-09-12.01     2010.09.12     Backdoor/W32.Agent.52992.B
Panda     10.0.2.7     2010.09.12     Suspicious file
TheHacker     6.7.0.0.016     2010.09.12     Backdoor/Delf.ukq
TrendMicro-HouseCall     9.120.0.1004     2010.09.13     -
VBA32     3.12.14.0     2010.09.08     Backdoor.Win32.Delf.ukq
Additional information
Show all
MD5   : 123c5e06a889925ec688440bc13dd572

traffic to 202.67.231.251:443

 Hostname:    202.67.231.251
ISP:    HKNet Company Ltd.
Organization:    HKNet Company Limited
Country:    Hong Kong
 City:    Kwai Chung

Strings from 
File: vcmdbg.dll
MD5:  2185845c8489e637d963217d4f35842e
Size: 29184

Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache