Friday, January 29, 2010

Jan 28 CVE-2009-4324 台美軍售最新情況.pdf The latest U.S. arms sales to Taiwan from Jan 28, 2010 10:45 PM

  1. Download 台美軍售最新情況.pdf as 401b4f707b8063b0c4b087c41716746b  -The latest U.S. arms sales to (password protected, please contact me if you need it)
  2. Download uncompressed (with as 401b4f707b8063b0c4b087c41716746b-The latest U.S. arms sales to Taiwan.txt

Attachment name 

----- Original Message -----
Sent: Thursday, January 28, 2010 10:45 PM
Subject: 台美軍售最新情況

您的生活即時通 - 溝通、娛樂、生活、工作一次搞定!

No headers info available for this post, unfortunately

File ________________________.pdf received on 2010.01.29 16:15:12 (UTC)
Microsoft 1.5406 2010.01.29 Exploit:Win32/Pdfjsc.CW
nProtect 2009.1.8.0 2010.01.29 Exploit.PDF-JS.Gen.C02
Sunbelt 3.2.1858.2 2010.01.29 Exploit.PDF-JS.Gen (v)
Additional information
File size: 62182 bytes
MD5...: 401b4f707b8063b0c4b087c41716746b 

Analysis report for �美�售最新情�.pdf
File �美�售最新情�.pdf
MD5 401b4f707b8063b0c4b087c41716746b
Analysis Started 2010-01-29 08:15:37
Report Generated 2010-01-29 08:15:38
Jsand 1.03.02 benign
Encrypted embedded executable with a key of 1024 bytes.
Exploit method detected as pdfexploit - PDF Exploit call to media.newPlayer CVE-2009-4324.

Here is a part of the java script (uncompressed with

Jan 28 CVE-2009-4324 PEER REVIEW--Assessing Chinese Military Transparency from Thu, 28 Jan 2010 05:01:50 PST

Download c603dffd233f4c00e0ec6ffe85e52110- PEER REVIEW--Assessing Chinese Military Transparency.pdf as a password protected archive (contact me if you need the password)

From: Phillip Saunders []
Sent: Thursday, January 28, 2010 8:02 AM
Subject: PEER REVIEW--Assessing Chinese Military Transparency


Attached is a draft study that develops a methodology for assessing and comparing transparency based on defense white papers, applies that methodology to assess changes in Chinese transparency over time, and compares the transparency evident in China's defense white paper with that of other Asia-Pacific white papers.

It is envisoned as both an analytical tool, but also something that might support a productive dialogue with China and other countries about transparency.

Comments about the methodology and substantive findings are welcome.


Received: from [] by via HTTP; Thu, 28 Jan 2010 05:01:50 PST
X-Mailer: YahooMailRC/272.7 YahooMailWebService/
Date: Thu, 28 Jan 2010 05:01:50 -0800 (PST)
From: Phillip Saunders
Subject: PEER REVIEW--Assessing Chinese Military Transparency
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-928444982-1264683710=:32069"

Lookup IP Address:
      ISP:    WholeSale Internet
      Organization:    Max Dmitry
      Country:    United States
      State/Region:    MO
      City:    Kansas City

Wednesday, January 27, 2010

Jan 27 CVE-2009-4324 + CVE-2009-0927 + CVE-2007-5659 letter to Solarz and US position on free speech rights..from 27 Jan 2010 06:01:34 -0800

Download CF0063F0FA4ACDE50E38859BAE7CECA2-letter.pdf as a password protected archive (please contact me if you need it)
----Original Message-----
From: Paul Maas Risenhoover []
Sent: 2010-01-27 9:02 AM
Subject: letter to Solarz and US position on free speech rights of native Formosans to advocate independence thru Taiwanese

 Attached and below is a letter to U.S. government on on free speech rights of native Formosans to advocate independence thru Taiwanese self-determination.  Please support us.


Dear Press Officer Kavanaugh,

Kindly advise whether the US continues to stand by her duties under our Constitution, treaty obligations and laws, towards the defense of Formosa, and the rights of the native Formosans to engage in free speech rights secured by the First Article of Amendment to the US Constitution permitting petition for redress of their grievances against the United States, and her alter ego the Republic of China, located in exile, outside China, on Formosa, a trust territory for which the US asserted by Aide Memoire of October 25, 1950, in the travaux preparatoires for Article 2 of the Treaty of Peace with Japan concluded at San Franicsco, that Formosa did not by that treaty nor by the Treaty of Taipei (also see FRUS that the Treaty of Taipei did not cede Formosa from Japan to the Republic of China, using the terms legal Dept. China) become territory of China nor of the Republic of China, and asserting her solemn UN Charter and Constitutional law of war duties as Principal Victor in the Pacific theater against Japan, for the ultimate disposition of Formosa, consonant with the territorial integrity or historical claims of China thereto, and the Article 73 duties of the US as Administering Authority, through her alter ego, the Republic of China, on Taiwan, for Formosa.

 Recently the fascist Chinese Nazi Party called the KMT has preferred treason charges to be brought by the Taiwan High Court, which is now investigating the judges and clerks of the US Court of Appeals for the Armed Forces and DC Circuit, SCUS, and USDC DC Judge Rosemary Collyer, for conspiracy to cause .....

see the full text below..

Monday, January 25, 2010

Jan 25 CVE-2009-4324 PLS Confirm your biography from

Download  cb9da3ce624c66cda70c9ba84b7e0040 biography.pdf as a password protected archive (please contact me if you need it)

-----Original Message-----
From: Jeffery ask []
Sent: Monday, January 25, 2010 9:55 PM
Subject: PLS Confirm your biography.

Dear Sir / Madam:

Congratulations!You have been  selected successfully for "Century Celebrity Network the most influential 500 people of 20th century "
listed by "Century Celebrity Network".Celebrity World Network is a celebrities and celebrities interactive introduction website, we are committed to creating a world's largest, most complete with celebrity information, forums, news, work, activities and awards ceremony site.
All the world's celebrities and their stories, works, achievements, are the world's wealth, for the world and leave this one than the wealth of future generations is of great significance. Celebrity Categories include: arts entertainment, sports, athletics, political and military, literature, religion, philosophy, business finance, doctors, martial artists, social celebrities, scientists and so on.

We will be so grateful if you could take some time to read your relevant description carefully to ensure the truth and integrity of the 20th century largest and most authoritative database.If there is something wrong,pls feel free to contact me.If you think the text we written is far from the truth and can't satisfy you,we will be appreaciate if you  could send a biography within 500 words by yourself.

Looking forward to your early reply.

Chou Zhi-wen, editor of Century Celebrity

Jan 25 CVE-2009-4324 / CVE-2007-5659.+ Senate Hearing Mon, 25 Jan 2010 08:26:21 -0500

Download F40376D0C1EB19A7774D32D6229D0465-_Principles_of_U.S._Engagement_in_Asia.pdf as a password protected archive (contact me for the password, if you need it) 

 Our friends are back to work

-----Original Message-----
From: John Podesta []
Sent: 2010-01-25 8:26 AM
Subject: Senate Hearing


Please find a brief summary attached from the Senate Foreign Relations hearing on U.S. engagement in Asia. If you have any questions, let me know.



-- - Does exactly what it says on the tin

Sunday, January 24, 2010


I noticed a while ago, and this trend continues, that our creative senders take weekends off. Mailings stop on Friday afternoon and do not resume until 8-10 pm Sunday (which is already Monday is some parts of the world). The greeting cards and banking scam artists take no days off - maybe because they are not salary men?
I hope you all are enjoying your weekend

Friday, January 22, 2010

Mystery Excel from Russia

 MS Excel
Download CB572207B25B61FC2EFD76A4CE07B255-buvplpk.xls  as password protected archive (please let me know if you need the password)

  Messagelabs scan detects "Possible MalWare 'Backdoor.Win32.Agent.qwh.dam" 

    -----Original Message-----

    From: Блохин Арсений []
    Sent: 2010-01-22 10:40 AM
    Subject: Распостраняeм информaцию

    Служба достaвки почты

buvplpk.xls received on 2010.01.22 17:30:58 (UTC)
Current status: finished

Result: 0/41 (0.00%)

I  checked with OfficeMalScanner ( - not malicious.
I will look at it again later and you are welcome to do it too, please let me know if you find/not find anything.

Jan 22 CVE-2009-4324 Conference Report: Military Confidence Building Measures in the Taiwan Strait from 2010-01-22 8:39 AM

Download  4CE2D4AD39572811D87F22F69C7C203A -  Conference Report.pdf as a password protected archive (please contact me if you need it)

Fri, 22 Jan 2010 05:39:04 -0800 

-----Original Message-----
From: CNA China Studies []
Sent: 2010-01-22 8:39 AM
Subject: Conference Report: Military Confidence Building Measures in the Taiwan Strait
Importance: High


It is with great pleasure that I forward you the link to CNA China
Studies' latest conference report: Military Confidence Building Measures
in the Taiwan Strait.

Since the inauguration of Ma Ying-jeou as Taiwan's s president in May
2008, relations between Taipei and Beijing have improved at a rapid
pace.  The resumption of quasi-official talks between the two sides of
the Strait has led to a series of landmark agreements. Among other
promising results, the commencement of direct flights, shipping, and
postal services have been important steps toward reconciliation.
Nevertheless, officials and scholars on both sides of the Strait
recognize that progress has thus far been limited to relatively easy
issues and that addressing such delicate, yet critical, topics as
sovereignty and military deployments will require a prolonged period of
time and greater political trust.

To better understand how officials and experts on both sides of the
Strait are thinking about pursuing military CBMs and creating
appropriate conditions for cross-Strait discussions of CBMs, a CNA-led
delegation visited Taipei and Beijing December 24-28, 2009. This
conference discussed the findings of the trip, including recommendations
for how Taiwan, Mainland China, and the United States can further create
an environment that is favorable to establishing military CBMs. It
provided a venue for informed specialists and U.S. government officials
to discuss the measures and the implications for the United States.

You can access the report, on the CNA China Studies publications page
at: We hope
you will find this report useful.

Very Best Regards,

  CNA China Studies

-- - Email service worth paying for. Try it for free

File Conference_Report.pdf received on 2010.01.22 15:41:36 (UTC)
Result: 2/41 (4.88%)
Avast 4.8.1351.0 2010.01.22 JS:Pdfka-WP
GData 19 2010.01.22 JS:Pdfka-WP 
File size: 235512 bytes
MD5...: 4ce2d4ad39572811d87f22f69c7c203a

Thursday, January 21, 2010

Jan 21 CVE-2009-4324 Cyber Warfare and Cyber Terrorism from 2010-01-21 9:44 AM

Download  CB92CEFF7D73C3EC002CD42165685AA1 - Cyber Warfare and Cyber Terrorism.pdf as a password protected archive (please contact me for the password)

Sent: 2010-01-21 9:44 AM
Subject: Cyber Warfare and Cyber Terrorism

Dear Initiative Working Group member,

We hope that you find this report thought-provoking, and look forward to receiving your comments at any time. We also
apologize if you have already received this report.

Hope it will be help for your work and also your suggestions will be appreciated.

Best regards,


Director, Initiative for U.S.-China Cooperation on Energy and Climate
Asia Society, Center for U.S.-China Relations
1575 Eye St., NW, Suite 325
Washington, D.C., 20005
Phone: (202) 414-2802 (o); (571) 276-1020 (m)

File Cyber_Warfare_and_Cyber_Terrorism received on 2010.01.21 17:49:00 (UTC)
Result: 8/41 (19.51%)
AntiVir 2010.01.21 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.21 JS:Pdfka-VO
AVG 2010.01.21 Script/Exploit
GData 19 2010.01.21 JS:Pdfka-VO 
Kaspersky 2010.01.21 Exploit.JS.Pdfka.bex
McAfee 5867 2010.01.20 Exploit-PDF.b.gen
McAfee+Artemis 5867 2010.01.20 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.21 Script.Malicious.PDF.Gen
File size: 435947 bytes
MD5   : cb92ceff7d73c3ec002cd42165685aa1

Jan.20 CVE-2009-4324 Road Map for Asian-Pacific Security from spoofed 20 Jan 2010 15:13:10 -0000

Attack of the clones. Here is the third one with the same MD5hash as
Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed 20 Jan 2010 14:26:00 -0000 and
Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]

 Same IP address of the sender as here Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed 20 Jan 2010 14:26:00 -0000

 Download  238ECF8C0AEE8BFD216CF3CAD5D82448 - Road Map for Asian-Pacific Security.pdf as a password protected archive (please contact me for the password if you need it)

From: Schmitt, Gary J. []
Sent: Wednesday, January 20, 2010 10:13 AM
To: "Undisclosed-Recipient:;"
Subject: Road Map for Asian-Pacific Security


This is the second of two Outlooks on the Obama administration's foreign policy approach to Asia. Neither the Clinton nor Bush administrations took full advantage of the growing impetus among the states of the Asia-Pacific region to work through multilateral forums. The Obama administration appears to be following the same pattern. Today a hodgepodge of institutions and forums exists in Asia, but none of them addresses the strategic needs of the region. The United States needs to find ways to maximize its influence through new regionwide forums and institutional arrangements. A two-tiered multilateral approach could benefit the nations in the region and the United States.

Please see the attached for more information.

Hope it will be help for your work and also your suggestions will be appreciated.



Received: (qmail 15802 invoked from network); 20 Jan 2010 15:13:10 -0000
Received: from (HELO (
Received: by (8.12.11/ver5(11/20/06)) id o0KFD71C016512; Thu, 21 Jan 2010 00:13:07 +0900
Received: from (virus01 [])
    by (Postfix) with ESMTP id DD9C733643
    for xxxxxxxxxxxxxxx; Thu, 21 Jan 2010 00:13:07 +0900 (JST)
Received: from ( [])
    by (Postfix) with ESMTP id 9201F3A209
    for XXXXXXXXXXXXXXXX; Thu, 21 Jan 2010 00:13:07 +0900 (JST)
Received: from ( [])
    by (Postfix) with SMTP id 1C96A32E27
    for XXXXXXXXXXXXXXX; Thu, 21 Jan 2010 00:13:02 +0900 (JST)
Received: (qmail 21106 invoked from network); 21 Jan 2010 00:12:56 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@
  by with SMTP; 21 Jan 2010 00:12:56 +0900
Message-ID: <3BB0641226EF4F6A9F46A0CFE30A784D@3me8de026f8d12>
From: "Schmitt, Gary J."
To: <"Undisclosed-Recipient:;">
Subject: Road Map for Asian-Pacific Security
Date: Wed, 20 Jan 2010 10:12:54 -0500

Indeed. See Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed 20 Jan 2010 14:26:00 -0000 and Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]
 File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Current status: finished

Result: 12/41 (29.27%)
MD5   : 238ecf8c0aee8bfd216cf3cad5d82448

 File Road_Map_for_Asian-Pacific_Securi received on 2010.01.21 12:47:33 (UTC)
Result: 12/40 (30%)
Antivirus     Version     Last Update     Result
a-squared    2010.01.21    Exploit.PDF-JS!IK
AntiVir    2010.01.21    HTML/Malicious.PDF.Gen
Avast    4.8.1351.0    2010.01.21    JS:Pdfka-VO
AVG    2010.01.21    Script/Exploit
BitDefender    7.2    2010.01.21    Trojan.Script.256073
F-Secure    9.0.15370.0    2010.01.21    Exploit:W32/Pidief.CKZ
GData    19    2010.01.21    Trojan.Script.256073
Ikarus    T3.    2010.01.21    Exploit.PDF-JS
Kaspersky    2010.01.21    Exploit.JS.Pdfka.bex
McAfee    5867    2010.01.20    Exploit-PDF.b.gen
McAfee+Artemis    5867    2010.01.20    Exploit-PDF.b.gen
McAfee-GW-Edition    6.8.5    2010.01.21    Script.Malicious.PDF.Gen

File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448

Wednesday, January 20, 2010

Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed 20 Jan 2010 14:26:00 -0000

This is my favorite of all times, they have some nerve. I know the George Washington University did not move to China yet. Plus we already received his file yesterday.

Update Jan 21. F-Secure analysts reported that this pdf attachment (or identical file they got)  drops Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435), which gets detected as W32/PoisonIvy.NQ, aka Poison Ivy RAT.

Download 238ecf8c0aee8bfd216cf3cad5d82448 - Chinese_cyberattack.pdf as password protected archive (please contact me if you need the password)

From: XXXXXXX [mailto:]
Sent: 2010-01-20 9:26 AM
To: "Undisclosed-Recipient:;"
Subject: Chinese cyberattack


Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.

If you have any good idea / comments,  are warmly welcome to feedback.



Received: (qmail 4722 invoked from network); 20 Jan 2010 14:26:00 -0000
Received: from (HELO (
Received: by (8.12.11/ver5(11/20/06)) id o0KEPwZv027218; Wed, 20 Jan 2010 23:25:58 +0900
Received: from (virus05 [])
    by (Postfix) with ESMTP id 127D333642
    for XXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:58 +0900 (JST)
Received: from ( [])
    by (Postfix) with ESMTP id A7F8635C46
    for XXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:57 +0900 (JST)
Received: from ( [])
    by (Postfix) with SMTP id 09AF434002
    for XXXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:52 +0900 (JST)
Received: (qmail 11732 invoked from network); 20 Jan 2010 23:25:46 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@
  by with SMTP; 20 Jan 2010 23:25:46 +0900
From: "Shambaugh, David"
To: <"Undisclosed-Recipient:;">
Subject: Chinese cyberattack
Date: Wed, 20 Jan 2010 15:25:45 +0100

ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Cable/DSL
Country: China  
City: Nanjing


File has already been analyzed

File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Result: 12/41 (29.27%)
a-squared 2010.01.20 Exploit.PDF-JS!IK
AntiVir 2010.01.20 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.20 JS:Pdfka-VO
AVG 2010.01.19 Script/Exploit
BitDefender 7.2 2010.01.20 Trojan.Script.256073
F-Secure 9.0.15370.0 2010.01.20 Exploit:W32/Pidief.CKZ
GData 19 2010.01.20 Trojan.Script.256073
Ikarus T3. 2010.01.20 Exploit.PDF-JS
Kaspersky 2010.01.20 Exploit.JS.Pdfka.bex
McAfee 5866 2010.01.19 Exploit-PDF.b.gen
McAfee+Artemis 5866 2010.01.19 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.20 Script.Malicious.PDF.Gen
Additional information
File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448

Wepawet detects it under a different name
from a file we scanned earlier - same MD5hash - we have a post for this one already
Sample Overview
File Obama\'s First Year in Foreign Policy.pdf
MD5 238ecf8c0aee8bfd216cf3cad5d82448
Analysis Started 2010-01-19 20:07:01
Report Generated 2010-01-19 20:12:10
Jsand 1.03.02 benign 

Trojan.Hydraq detection and naming

Ok, it is not really a big deal, the trojan was in the wild since at least 2006 and Symantec just added a better name for it. It was discovered not on January 11, 2010 but much earlier. I like Hydraq better than just Trojan Horse, really. Why Hydraq? What prompted the name, I wonder.

Here is a Symantec blog entry linking Hydraq to attacks on Google Hydraq - An Attack of Mythical Proportions

Update Jan. 20, 2010 Please read more about IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora  on from here and here 

Update Jan 24, 2010  Download Hydraq
 As you see, Hydraq is well researched ( and most AV products detect the key files. I can provide the following files for antivirus and IT security companies/researchers.

c_1758.nls (ba3545841d8a40ed8493e22c0e70a72c)- copy of the trojan
Acelpvc.dll (4A47404FC21FFF4A1BC492F9CD23139C)- helper file
VedioDriver.dll (467EEF090DEB3517F05A48310FCFD4EE)- helper file

Results on January 17, 2010

Discovered: January 11, 2010
Updated: January 11, 2010 2:59:20 PM
Also Known As: TROJ_HYDRAQ.A [Trend]
Type: Trojan
Infection Length: 81,920 bytes
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
This Trojan may arrive in an email or it may be dropped or downloaded by another threat.

When executed, the threat creates one of the following files:

It then creates a service with the following characteristic:
File c_1758.nls received on 2010.01.17 03:22:11 (UTC)
Result: 25/41 (60.98%)
Antivirus     Version     Last Update     Result
a-squared     2010.01.16     CC.Agent.BA!IK
AhnLab-V3     2010.01.16     Win-Trojan/Agent.20480.PL
AntiVir     2010.01.16     CC/Agent.BA
Avast     4.8.1351.0     2010.01.16     Win32:Trojan-gen
BitDefender     7.2     2010.01.17     Trojan.Generic.1470226
CAT-QuickHeal     10.00     2010.01.16     Trojan.Agent.ATV
Comodo     3608     2010.01.17     UnclassifiedMalware
eSafe     2010.01.14     Win32.CCAgent.Ba
eTrust-Vet     35.2.7240     2010.01.15     Win32/Enuairs.A
F-Secure     9.0.15370.0     2010.01.16     Trojan.Generic.1470226
Fortinet     2010.01.16     PossibleThreat
GData     19     2010.01.17     Trojan.Generic.1470226
Ikarus     T3.     2010.01.16     CC.Agent.BA
K7AntiVirus     7.10.949     2010.01.16     Trojan.Win32.Malware.1
McAfee+Artemis     5863     2010.01.16     Generic.dx
McAfee-GW-Edition     6.8.5     2010.01.16     Virus.Agent.BA
Microsoft     1.5302     2010.01.16     Trojan:Win32/Bumat!rts
nProtect     2009.1.8.0     2010.01.16     Trojan/W32.Agent.20480.KJ
Panda     2010.01.16     Generic Trojan
PCTools     2010.01.17     Trojan.Hydraq
Prevx     3.0     2010.01.17     Medium Risk Malware
Rising     2010.01.17     Trojan.Spy.Rasmon.a
Symantec     20091.2.0.41     2010.01.17     Trojan.Hydraq
TrendMicro     2010.01.16     TROJ_Generic.ADV
Additional information
File size: 20480 bytes
MD5   : ba3545841d8a40ed8493e22c0e70a72c

Results on April 3, 2009

same file
 File c_1758.nls received on 2009.04.03 17:28:45 (UTC)
Result: 15/40 (37.50%)
a-squared     2009.04.03     CC.Agent.BA!IK
AhnLab-V3     2009.04.03     Win-Trojan/Agent.20480.PL
AntiVir     2009.04.03     CC/Agent.BA
Avast     4.8.1335.0     2009.04.03     Win32:Trojan-gen {Other}
BitDefender     7.2     2009.04.03     Trojan.Generic.1470226
eTrust-Vet     31.6.6434     2009.04.03     Win32/Enuairs.A
Fortinet     2009.04.03     PossibleThreat
K7AntiVirus     7.10.692     2009.04.03     Trojan.Win32.Malware.1
McAfee-GW-Edition     6.7.6     2009.04.03     Virus.Agent.BA
Rising     2009.04.03     Trojan.Spy.Rasmon.a
Symantec     2009.04.03     Trojan Horse
Additional information
File size: 20480 bytes
MD5...: ba3545841d8a40ed8493e22c0e70a72c

file timedatestamp.....: 0x44e1d7b3 (Tue Aug 15 14:18:27 2006)
The first known attack attempt using this trojan - December 20, 2006

f0c78171b11b40f40e24dd9eaa8a3a381 received on 2010.01.20 21:31:50 (UTC)

Result: 18/40 (45.00%)
a-squared 2010.01.20 RemoteAccess!IK
AntiVir 2010.01.20 APPL/Remote.RealVNC.95
AVG 2010.01.19 BackDoor.Agent.AFFU
ClamAV 0.94.1 2010.01.20 Trojan.Hydraq-3
Comodo 3650 2010.01.20 UnclassifiedMalware
eTrust-Vet 35.2.7249 2010.01.20 Win32/Aviror.A
Ikarus T3. 2010.01.20 RemoteAccess
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
McAfee 5867 2010.01.20 Roarur.dll
McAfee+Artemis 5867 2010.01.20 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.20 Riskware.Remote.RealVNC.95
Microsoft 1.5302 2010.01.20 Backdoor:Win32/Mdmbot.C
Panda 2010.01.20 Trj/CI.A
PCTools 2010.01.19 Trojan.Hydraq
Sophos 4.50.0 2010.01.20 Mal/Spy-E
Symantec 20091.2.0.41 2010.01.20 Trojan.Hydraq
TrendMicro 2010.01.20 TROJ_HYDRAQ.H
VirusBuster 2010.01.20 Backdoor.Mdmbot.B

File size: 8192 bytes
MD5   : 467eef090deb3517f05a48310fcfd4ee
SHA1  : 43d20c85e323b59e7971626a3c1fe1542ab945f7
SHA256: f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430
PEInfo: PE Structure information
entrypointaddress.: 0x1C37
timedatestamp.....: 0x4473474A (Tue May 23 19:32:58 2006)
machinetype.......: 0x14C (Intel I386)
 File acelpvc.dll received on 2010.01.22 06:00:03 (UTC)
Result: 21/41 (51.22%)
Antivirus     Version     Last Update     Result
a-squared     2010.01.22     Win32.SuspectCrc!IK
AhnLab-V3     2010.01.22     Win-Trojan/Mdmbot.136704
AntiVir     2010.01.21     APPL/Remote.RealVNC.94
BitDefender     7.2     2010.01.22     Trojan.Generic.2992679
ClamAV     0.94.1     2010.01.22     PUA.Packed.ASPack212
eTrust-Vet     35.2.7251     2010.01.21     Win32/Hydraq.A
F-Secure     9.0.15370.0     2010.01.22     Trojan.Generic.2992679
GData     19     2010.01.22     Trojan.Generic.2992679
Ikarus     T3.     2010.01.22     Win32.SuspectCrc
Kaspersky     2010.01.22     Trojan.Win32.Genome.eraf
McAfee     5868     2010.01.21     Roarur.dll
McAfee+Artemis     5868     2010.01.21     Roarur.dll
McAfee-GW-Edition     6.8.5     2010.01.21     Riskware.Remote.RealVNC.94
Microsoft     1.5302     2010.01.21     Backdoor:Win32/Mdmbot.C
Panda     2010.01.21     Suspicious file
PCTools     2010.01.22     Trojan.Hydraq
Sunbelt     3.2.1858.2     2010.01.22     Trojan.Win32.Generic!BT
Symantec     20091.2.0.41     2010.01.22     Trojan.Hydraq
TrendMicro     2010.01.22     TROJ_HYDRAQ.G
VirusBuster     2010.01.21     Backdoor.Mdmbot.A
Additional information
File size: 136704 bytes
MD5   : 4a47404fc21fff4a1bc492f9cd23139c

Tuesday, January 19, 2010

Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]

Download 238ecf8c0aee8bfd216cf3cad5d82448 - Obama's First Year in Foreign Policy.pdf as password protected archive (please contact me for the password if you need it)

From: Suzy George [mailto:[redacted]]
Sent: Tuesday, January 19, 2010 8:32 AM
To: "Undisclosed-Recipient:;"
Subject: Obama's First Year in Foreign Policy

Jan. 19 CVE-2009-4324 + CVE-2008-2992 Revitalizing Democracy Assistance from Jan 19, 2010 9:42 AM

 Download 9088220c7fa358f70a95455630e4eedd - revitalizing_democracy_assistance_summary.pdf as password protected archive (please contact me for the password)

Details: 9088220C7FA358F70A95455630E4EEDD - revitalizing_democracy_assistance_summary.pdf

From: Thomas Carothers []
Sent: Tuesday, January 19, 2010 9:42 AM
Subject: Revitalizing Democracy Assistance


Thomas Carothers
Vice President for Studies, CEIP


File revitalizing_democracy_assistance received on 2010.01.20 04:37:33 (UTC)
Result: 2/41 (4.88%)
Avast    4.8.1351.0    2010.01.19    JS:Pdfka-WP
GData    19    2010.01.20    JS:Pdfka-WP
File size: 235512 bytes
MD5...: 9088220c7fa358f70a95455630e4eedd

File    revitalizing_democracy_assistance_summary.pdf
MD5    9088220c7fa358f70a95455630e4eedd
Analysis Started    2010-01-19 20:58:32
Report Generated    2010-01-19 20:58:36
Jsand 1.03.02    malicious    Use-after-free vulnerability in the method in Adobe Reader and Acrobat 8.0 through 9.2    CVE-2009-4324

EXECUTABLE SCAN: PDF Exploit suspicious use of util.printd CVE-2008-2992 (pdfexploit/full)
Confidence ranking: 90 (4 hits).

Sunday, January 17, 2010

Jan 17 Trojan Darkmoon.B EXE Haiti relief from 17 Jan 2010 13:15:02 -0800 PST

This message contains a zip attachment with  ârâfâI.exe (Darkmoon.B) and a 20100118.pdf  (containing pictures).

Download the A4754BE7B34ED55FAFF832EDADAC61F6 (password protected< please contact me if you need it)

The message is in Japanese

From: []
Sent: Sunday, January 17, 2010 4:15 PM
To: xxxxxxxxxxx
Subject: ハイチの救援活動が難航 7千人埋葬、時間との勝負

ハイチの救援活動が難航 7千人埋葬、時間との勝負




Subject: Haiti relief deadlock seven people buried in 1000, race against time
Haiti's troubled rescue seven people buried in 1000, race against time
[Co] from a large earthquake in Port au Prince in Haiti two days after the 14th, and now he will begin his search for victims buried under collapsed houses in the West entered the local rescue team, the international relief activities in earnest. However, a lack of activity and medical personnel are faced with difficulties. 

Friday, January 15, 2010

Jan15 CVE-2009-4324 USEUCOM Intelligence Summit from 15 Jan 2010 00:47:09 PST

Here is a fake trojan-laden pdf about the United States European Command Intelligence Summit.

Download Agenda.pdf as (Password protected, please contact me if you need it)

Details: c3079303562d4672d6c3810f91235d9b - Agenda.pdf 

From: Malkhaz Jamureli []
Sent: 2010-01-15 3:47 AM
Subject: Fw: USEUCOM Intelligence Summit

The USEUCOM Intelligence Summit, taking place February 15-17, 2010 in Heidelberg, Germany
The theme for the summit is: “Building Partnerships-Linking Nations” and it will bring together working staff-level US and European mission partner capability planners, program managers, intelligence producers, end-users, and subject matter experts from government, military, law enforcement, academia, private sector, and leading edge technology organizations to discuss and determine ways to improve Intelligence-Sharing and Collaboration capabilities that address common challenges in the Regional and International Security Environment.
Conference Objectives
--  Discuss common US-European security challenges where increased intelligence-sharing and collaboration are needed
--  Highlight US and European Partner intelligence-sharing and collaboration capabilities, programs, and technologies
--  Demonstrate enabling concepts, technologies, business processes, and best practices available from US and European mission partners,  academia, private sector, and industry.
--  Identify initiatives, establish relationships, and create opportunities to improve development and delivery of intelligence-sharing and collaboration architectures and systems capabilities in the near to mid-term.
MAJ Malkhaz Jamureli
Defense, Military, Naval and Air Attache
Embassy of Georgia
2209 Massachusetts Ave., NW
Washington, DC 20008
Comm: 202-387-2580
FAX:   202-387-2581

Jan 15 Zany.pdf -fc5196ff7d14bda18cd9f89d81f913db

This file from an URL was submitted by TarunKumar Singh - thank you, TarunKumar

Download  zany.pdf as (Password protected. Please contact me for the password)

Details: fc5196ff7d14bda18cd9f89d81f913db - zany.pdf

File zany.pdf99 received on 2010.01.16 11:18:07 (UTC)
F-Secure     9.0.15370.0     2010.01.16     Exploit:W32/Pidief.CKT
Kaspersky     2010.01.16     Exploit.Win32.Pidief.cyn
PCTools     2010.01.16     Trojan.Pidief
Sophos             4.49.0     2010.01.16     Mal/PDFEx-D
Sunbelt     3.2.1858.2     2010.01.16     Exploit.PDF-JS.Gen (v)
Symantec     20091.2.0.41     2010.01.16     Trojan.Pidief.H
File size: 3701 bytes
MD5   : fc5196ff7d14bda18cd9f89d81f913db

Thursday, January 14, 2010

Technical analysis of CVE-2009-4324 samples by different analysts.

Please see technical analysis of some of the samples kindly offered by different analysts. 

Analysis of Jan 7 US-J-India_strategic_dialogue sample
Us-J-India_strategic_dialogue.pdf --- MD5 12aab3743c6726452eb0a91d8190a473

All contagio samples

Analysis by extraexploit  (
January 12, 2010  Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day (for Jan 7 US-J-India_strategic_dialogue sample) -- New
December 29, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection
December 19, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas
December 18, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down

December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0

Analysis by Wh's Behind (

January 14  CVE-2009-4324 (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
December 30, 2009 CVE-2009-4324 0-day vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (new PDF from Taiwan govs) -
December 22, 2009 CVE-2009-4324 vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)

Analysis of Interview Outline by kaito (
December 26, 2009 悪意あるPDF(malicious PDF)に含まれる Exploit コードを で確認する

 Analysis by demantos (

December 22, 2009 Adobe 0-Day
December 16, 2009 New Adobe Reader and Acrobat Vulnerability

CVE-2009-4324 Samples from other sources:
nalysis by Bojan Zdrnja - SANS (

January 4, 2009 Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

Analysis by VRT (
December 15, 2009 - Adobe Reader media.newPlayer() Analysis (CVE-2009-4324) 

Let me know if I missed any you think need to be added.