Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Tuesday, March 30, 2010

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.


    * hxxp://assets.loomia.com/js/clixdom.js
    * hxxp://widget-cache.loomia.com/js/onewidget_clix.js
    * hxxp://a.l.yimg.com/a/lib/s5/searchpad_core_metro_js_200911061221.js

 File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32     4985     2010.03.30     JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo



Mar 30 CVE-2010-0806 IE 0-day hxxp://bbs.vgl.co.kr/bbs/icon/ie.html


http://www.virustotal.com/analisis/6827df1e55c9d7bbbf80272a919606aa7d5ee7b90fd049d67c6b2c0e2f458819-1269977772
 File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    5.2.0.5    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    9.0.0.787    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    7.0.17.0    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    4.5.1.85    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    4.0.14.0    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.1.1.80.0    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    7.0.0.125    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    5.0.27.0    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48



bbs.vgl.co.kr has one IP number , which is the same as for vgl.co.kr, but the reverse is 211-115-80-207.kidc.net. vgl.co.kr and http://www.robtex.com/dns/www.vgl.co.kr.html point to the same IP. vgl.co.kr is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for vgl.co.kr is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. bbs.vgl.co.kr is hosted on a server in Korea. It is not listed in any blacklists.
      Hostname:    211-115-80-207.kidc.net
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from americansina@gmail.com

 Download d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf as a password protected archive (please contact me if you need the password)

Details d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf 

From: Dean Cheng [mailto:americansina@gmail.com]
Sent: 2010-03-30 9:18 AM
Subject: China and Foreign Military Modernization

Dear Folks,

One of the little-noticed actions in the recently concluded session of the Chinese National People’s Congress was the enactment of a National Defense Mobilization Law. In an age when conventional conflicts are planned to conclude in a matter of days or weeks, it is striking that the People’s Republic of China  (PRC) should choose to ensure its readiness for a protracted war. Indeed, it suggests that the People’s Liberation Army (PLA) is thinking about future wars in a very different way from their Western counterparts, where full-scale mobilization is rarely discussed at all. Whereas the U.S. and its allies have mostly neglected the prospect of a prolonged high-intensity conflict, the PLA appears intent on preparing for both short- and long-term wars.

The actions of the National People’s Congress have distinct implications for U.S. defense planners, as they portend an opponent who may choose to fight a protracted conflict—but with anti-ship missiles rather than IEDs. And it should also raise questions among foreign investors—how might their facilities and assets be treated in the event of a crisis?

We have drafted a memo to this regards as attached. Your inputs are highly appreciated.

Best regards,

Cheng
--
Dean Cheng
Research Fellow, Asian Studies Cente
---------
Virustotal
http://www.virustotal.com/analisis/8b821297ce83d927e3ab73fe465149beb64b67d5b2cbee1cfaa4953c84c6a302-1269966037
File WebMemo.pdf received on 2010.03.30 16:20:37 (UTC)
Result: 8/42 (19.05%)
Avast     4.8.1351.0     2010.03.30     JS:Pdfka-XX
Avast5     5.0.332.0     2010.03.30     JS:Pdfka-XX
BitDefender     7.2     2010.03.30     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.03.30     Exploit.PDF-JS.Gen
GData     19     2010.03.30     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.03.30     Exploit.JS.Pdfka.bvz
Microsoft     1.5605     2010.03.30     Exploit:Win32/Pdfjsc.gen!A
nProtect     2009.1.8.0     2010.03.30     Exploit.PDF-JS.Gen
Additional information
File size: 201777 bytes
MD5   : d7520d1957d5ef26e068727fac4c4f02

Vicheck.ca
https://www.vicheck.ca/md5query.php?hash=d7520d1957d5ef26e068727fac4c4f02
Type: PDF Exploit call to media.newPlayer CVE-2009-4324
XOR Key:0x[]



CVE-2009-4324














 

Monday, March 29, 2010

Malware links March 2010

If you are looking for links to download samples, look here Links and resources for malware samples



  • hxxp://66.232.142.167/funny.php    JS/Exploit.ADODB.Stream.NAP trojan   
  •  hxxp://googlecounter.cn/web/gla.php contains PDF/Exploit.Gen trojan.
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab contains a variant of Win32/AdInstaller 
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/oHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fc2201l0409K6cb1af37317 contains JS/Exploit.Pdfka.BXK trojan.
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/eHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fde201l0409K6cb1af37318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/oHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd7201l0409K5c3a3a34317 contains JS/Exploit.Pdfka.BXK trojan. 
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/eHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd2201l0409K5c3a3a34318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
  • http://www.paramountcommunication.com/heritage/index.php?utm_source=Newsletter&utm_medium=Email&utm_campaign=Insider+Online&email=...   JS/TrojanDownloader.Pegel.AA  
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab    a variant of Win32/AdInstaller       
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab    a variant of Win32/AdInstaller 
  •  hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-6/1.2.0.1/MyFunCards.exe    a variant of Win32/AdInstaller             
  • hxxp://blogger-com.custhelp.com.lauxanh-us.readystockonline.ru:8080/mop.com/mop.com/google.com/woot.com/zol.com.cn.php    JS/TrojanDownloader.Iframe.NHK trojan          
  • hxxp://capitalone-com.victoriassecret.com.rutube-ru.newsuperway.ru:808/qidian.com/qidian.com/kioskea.net/google.com/howstuffworks.com.php    JS/TrojanDownloader.Iframe.NHK trojan   
  • hxxp://consuladodamulher.org.br/Itau/cont_artigos.php?s=TQQeTma9&id=6    multiple threats      
  • hxxp://golddeery.info/show-banner.php?kod=629081&site=ff.ca    HTML/Iframe.B.Gen virus  
  • hxxp://google.analytics.com.hzlyaejcvmat.info/nte/AVORP1KAV6 .asp/oU230d9c2eHbcb9bc6cV0100f070006R8c1977ae102Tf7326dcc201l0409K7959373b317    JS/Exploit.Pdfka.NTY trojan                      
  • hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.html/oHbcb9bc6cV0100f070006R24c1e2fe102Tf7114d86201l0409Kede2a3a5317    JS/Exploit.Pdfka.NUI trojan          
  • hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.py/oHbcb9bc6cV03002f36002R22c9ccec102Tf7139f4fQ000002f3901801F002a000aJ11000601l0409K41010ef5317    JS/Exploit.Pdfka.NUI trojan          
  •  hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/eHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151520201l0409Kd9bdaac13240    a variant of Win32/Kryptik.DHM trojan   
  • hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/oHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151527201l0409Kd9bdaac1317    JS/Exploit.Pdfka.NUI trojan              
  • hxxp://google.analytics.com.vvpwiceojasw.info/kavs/KAV6.exe/oHbcb9bc6cV0100f070006R695b81f8102Tf71ecc4c201l0409Ked0fd1fa317    JS/Exploit.Pdfka.NUI trojan      
  • hxxp://media.stu.edu.cn/ckjournalists/wp-content/plugins/test/fragus/pdf.php    PDF/Exploit.Pidief.OJS.Gen trojan     
  •  hxxp://origin-ics.seekmo.com/IC/GPLSeekmo7Zip02/770/-2_td_g-m_tsu_o9_oh_g44_tm8_g-l_tzg9xhg_g-t_tzdzpgcd_g4kl_tl_g-e_tul-m8_gk8_tp_oz/7zipsetup.exe    a variant of Win32/Adware.HotBar.E application 
  • hxxp://reeufgcwdaa.com/kavs/KAV6.exe/oHbcb9bc6cV03f01830002Ra6b096a2102Tf71a35a1Q000002f3901801F002a000aJ11000601l0409K4c7ff6ef317    JS/Exploit.Pdfka.NUI trojan      
  •  hxxp://rytsedwtov.in/new/sdfg.jar    multiple threats   
  •  hxxp://traffictravelling.com/cgi-bin/001?sourceid=3&domain=d3.zedo.com/q002106201317r0409R96b62002Xf72fe433Ybcb9bc6cZ0100f070    JS/Exploit.Pdfka.BQP trojan          
  • hxxp://www.car-parking.eu/city/geneva.html    JS/TrojanDownloader.Agent.NTN trojan    
  • hxxp://www.samplegraduateschoolessay.com/wp-content/plugins/wp-email/email-js-packed.js?ver=2.31    JS/TrojanDownloader.Agent.NRN trojan        
  • hxxp://www.sciences-po.org/    HTML/ScrInject.B.Gen virus                       
    hxxp://www1.hatin-the-safe-atpc.in/build6_290.php?cmd=sendFile&counter=2&p=p52dcWptaF/Cj8bYbnOCdVik12qYVp/Zatrau4FdlJ/JnsWYeHpfqKygdW2SY5jKZ2NmamJpiqDWkaTboKCViaJ0WKrO1c+eb1qfnaSZdV/XlsndblaWpG9rnFuTYGCUXpmSlGprWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bM    a variant of Win32/Kryptik.DFC trojan         
  • hxxp://ylwgheakrozn.com/nte/AVORP1TATRA9.py    JS/Exploit.Agent.NBA trojan              
           

Sunday, March 28, 2010

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from richard.mark45@yahoo.com

Malicious link hxxp://spot-news.com/spot/news.html

 
Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark [mailto:richard.mark45@yahoo.com]
Sent: Sunday, March 28, 2010 11:17 PM
To: XXXXXXXXXXXXXX
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

U.S.-ROK ALLIANCE

In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [123.125.156.136] by web114509.mail.gq1.yahoo.com via HTTP;
 Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered


Sender ip info        Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing




The exploit and all other details are the same as in this post from earlier today


Saturday, March 27, 2010

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from kevin.bohn33@hotmail.com

Malicious link  hxxp://spot-news.com/test/test.html (still active on March 27, 2010) -  Internet Explorer Zero day exploit

Download  043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files






    From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
    Sent: Saturday, March 27, 2010 7:35 AM
    To: XXXXXXXXXXX
    Subject: Dozens missing after ship sinks near North Korea


    Dozens missing after ship sinks near North Korea
    a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

    Detail Story   http://www.mofat.go.kr/press/breifing
    _______________________________________
    Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.


    Headers
    Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com
     with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700
    Message-ID:
    Return-Path: kevin.bohn33@hotmail.com
    Content-Type: multipart/alternative;
        boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"
    X-Originating-IP: [123.125.156.151]
    From: Kevin Bohn
    Sender ip info 
          Hostname:    123.125.156.151
          ISP:    China Unicom Beijing Province Network
          Organization:    China Unicom Beijing Province Network
          Proxy:    Suspected network sharing device.
          Country:    China
          State/Region:    Beijing
          City:    Beijing



    Site host info from robtex.com hxxp://spot-news.com/test/test.html
    124.217.255.232 
    Hostname: 124.217.255.232
    ISP: PIRADIUS NET
    Organization: PIRADIUS NET
    Country: Malaysia
    State/Region: Johor
    City: Johor Bahru
    Exploit info
    Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect

    hxxp://spot-news.com/test/test.html 


    Tested on Windows XP SP2 Internet Explorer  7

    The following files were created:

    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm
    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

    Virustotal
    test.htm
    File test.htm received on 2010.03.27 21:26:17 (UTC)
    Result: 3/42 (7.14%)
    Print results Print results
    AVG     9.0.0.787     2010.03.27     Script/Exploit
    Microsoft     1.5605     2010.03.27     Exploit:JS/CVE-2010-0806
    Sunbelt     6101     2010.03.26     Trojan.JS.BOFExploit (v)


    winint32.exe
      File winint32.exe received on 2010.03.27 21:29:06 (UTC)
    Result: 3/42 (7.15%)
    Microsoft    1.5605    2010.03.27    Trojan:Win32/Tapaoux.A
    Panda    10.0.2.2    2010.03.27    Suspicious file
    Symantec    20091.2.0.41    2010.03.27    Suspicious.Insight
    File size: 357344 bytes
    MD5...: 043d308bfda76e35122567cf933e1b2a


    Anubis Report



    Thursday, March 25, 2010

    Mar 25 CVE-2010-0188 PDF Re: conference memo from jesseandy2@gmail.com


    Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

    Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

    This is a fake conversation - it is a semi interesting social engineering trick.
     
    From: Lee [mailto:jesseandy2@gmail.com]
    Sent: Thursday, March 25, 2010 11:11 PM
    To: XXXXXXXXXXXXXX
    Subject: Re: conference memo

    Who are you?What do you mean?.This conference memo  is nothing with me.

    On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
     
    Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.

    Lee


    Virustotal report
    http://www.virustotal.com/analisis/49cefe07c61ddce14b2eea7c64a5bc2a97e29e0bbdd0cd52832a1dff0369a523-1269796247
     File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
    Result: 4/42 (9.53%)
    F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
    PCTools    7.0.3.5    2010.03.28    HeurEngine.Pdexe
    Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
    Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
    File size: 76137 bytes
    MD5...: c9c89ebc508c783defe7042eb9c0e5cc

    parsed with pdf-parser.py  





    Wednesday, March 24, 2010

    Mar 24 CVE-2008-0081 XLS 2010_ beauty calendar from navy_kidds@yahoo.com.tw

    Download 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls as a password protected archive (please contact me if you need the password)

    2010_ beauty calendar

     From: bruce Mr. [mailto:navy_kidds@yahoo.com.tw]
    Sent: Wednesday, March 24, 2010 4:44 AM
    To XXXXX
    Subject: 2010_美女月曆
    Importance: Low



     







    Headers
    Received: from [203.188.203.171] by t2.bullet.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:44:02 -0000
    Received: from [127.0.0.1] by omp104.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:43:51 -0000
    X-Yahoo-Newman-Property: ymail-3
    X-Yahoo-Newman-Id: 403351.51908.bm@omp104.mail.tp2.yahoo.com

          
    Hostname:    omp104.mail.tp2.yahoo.com
          ISP:    TAIPEI, TAIWAN
          Organization:    TAIPEI, TAIWAN
          Country:    Taiwan
          State/Region:    T'ai-pei
          City:    Taipei



    Virustotal
    http://www.virustotal.com/analisis/829b04fe2362b07185694f08d25e91372d95afc9540df9247b58157a46da4c02-1269464469
     File 2010_.xls received on 2010.03.24 21:01:09 (UTC)
    Result: 12/42 (28.58%)
    a-squared    4.5.0.50    2010.03.24    Exploit.MSExcel.Agent!IK
    Antiy-AVL    2.0.3.7    2010.03.24    Exploit/MSExcel.Agent
    Authentium    5.2.0.5    2010.03.24    MSExcel/Dropper.B!Camelot
    Comodo    4372    2010.03.24    UnclassifiedMalware
    F-Prot    4.5.1.85    2010.03.24    File is damaged
    Fortinet    4.0.14.0    2010.03.24    MSExcel/UDDesc.A!exploit.M20080081
    Ikarus    T3.1.1.80.0    2010.03.24    Exploit.MSExcel.Agent
    Kaspersky    7.0.0.125    2010.03.24    Exploit.MSExcel.Agent.u
    McAfee    5930    2010.03.24    Exploit-MSExcel.h
    McAfee+Artemis    5930    2010.03.24    Exploit-MSExcel.h
    McAfee-GW-Edition    6.8.5    2010.03.24    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
    File size: 109184 bytes
    MD5...: 7d5b0b8274e189d406cc3374f994e441



    File Upload

    Mar 24 CVE-2010-0188 PDF rumours in N Korea2010march from coljoint@aol.com


    Download 3fe225e4f42dad6a4c4863291f532dd2 rumours_in_N_Korea2010march.pdf as a password protected archive (please contact me if you need the password) 

    Details 3fe225e4f42dad6a4c4863291f532dd2 rumours_in_N_Korea2010march.pdf 

    From: coljoint@aol.com [mailto:coljoint@aol.com]
    Sent: Wednesday, March 24, 2010 9:30 AM
    To: coljoint@aol.com
    Subject: rumours in N Korea2010march
    Importance: Low

    Hi:
    Some rumours suggested that the recent currency reform was associated with Kim Jong-eun.  The attachments are dealt greatly with succession issues and situation in N Korea.
       Best regards
    File rumours_in_N_Korea2010march.pdf received on 2010.03.30 11:43:02 (UTC)
    http://www.virustotal.com/analisis/038c36b2f2f4404828a4c5881037d7be5e3373a4ab1ac2e8b2c49a021d22fcf0-1269949382
    Result: 4/42 (9.53%)
    ClamAV    0.96.0.0-git    2010.03.30    Exploit.PDF-17840
    PCTools    7.0.3.5    2010.03.30    HeurEngine.Pdexe
    Sophos    4.52.0    2010.03.30    Troj/PDFJs-II
    Symantec    20091.2.0.41    2010.03.30    Trojan.Pidief.I
    Additional information
    File size: 191651 bytes
    MD5...: 3fe225e4f42dad6a4c4863291f532dd2

    parsed with pdf-parser.py