Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Friday, May 28, 2010

May 28 CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org


Update: Noticed an ineresting post by Nart Villeneuve (Internet Censorship Explorer) regarding this malware and decided to update and resurrect the post 

 Download  4f681733fd9e473c09f967fa87c9faef  EIDHR.xls and all the files described below as a password protected archive (contact me if you need the password)


From: david@humanright-watch.org [mailto:david@humanright-watch.org] On Behalf Of ??
Sent: Friday, May 28, 2010 2:31 AM
To: XXXXXX
Subject: 關於EIDHR項目

諸位
關於EIDHR歐洲人權項目我詳細咨詢了歐盟的朋友,爲了使申請能順利通過,還須補充一些資料,具體資料項目和内容概要都附在後面了,祝各位順利。
張英

From: SHARPE Simon (RELEX-BEIJING)
Sent: Monday, May 24, 2010 6:15 PM
Subject: FW: EIDHR 项目征求书

大家好:
 
欧盟现在有一个EIDHR的项目征求。项目的目的在于资助推动人权的项目,涵盖的领域很广泛。大家可以跟其他感兴趣的朋友分享这个信息。
 
项目活动的主题
具有以下主题的计划书会受到优先考虑:
1. 思考自由,宗教自由和信仰自由的权利
2. 言论和表达的自由,包括艺术和文化的表达,信息和沟通的权利,包括媒体自由,反对审查和网络自由
3. 和平集会和结社自由的权利,包括建立和参加工会的权利
4. 在一国境内自由行动的权利,离开任何国家(包括本国)和回到本国的权利
 
项目活动
项目活动可以包括从监督,倡导,公开信息,提高意识到能力建设,培训以及与利益攸关者对话等一系列形式。最终目标都是为了提高所在国的公民社会组织的自主权。
项目的资助总额最低为15万欧元,最高为120万欧元。项目的延续时间应不少于18个月,但不超过3年。比较重要的是附件中的项目指导,首先需要提交一个简短的项目概念书,申请的最后期限是6月15日。项目申请时要填写链接中的Annex A,B,C 等表格。
申请有两种方法:
1. 通过PADOR系统注册申请。http://ec.europa.eu/europeaid/onlineservices/pador/index_en.htm
2. 或将申请所需的项目概念书以及表格A,B,C寄往如下地址:
邮寄地址
 
European Commission
EuropeAid Co-operation Office
   Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector
   Office: L-41 03/154
   B - 1049 Brussels
BELGIUM
 
快递地址
 
European Commission   
            EuropeAid Cooperation Office
Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector          
   Office: L-41 03/154
            Central Mail Service     
            Avenue du Bourget 1    
            B-1140 Brussels (Evère)
BELGIUM
 
关于项目的具体内容在https://webgate.ec.europa.eu/europeaid/onlineservices/index.cfm?do=publi.welcome&nbPubliList=15&orderby=upd&orderbyad=Desc&searchtype=RS&aofr=126352
如果需要更多的信息,请随时与我们联系。谢谢!
 
欧盟驻华代表团夏明

See machine translation in the end

Headers
Received: (qmail 3230 invoked from network); 28 May 2010 06:31:58 -0000
Received: from static-ip-251-116-134-202.rev.dyxnet.com (HELO mx02.diaocha8.com) (202.134.116.251)  by XXXXXXXXXXXXXXXXXXX with SMTP; 28 May 2010 06:31:58 -0000
Received: from sppfszwr (unknown [180.98.74.10])
    by mx02.diaocha8.com (EMOS V1.5 (Postfix)) with ESMTPA id 37B71109A81
    for
Reply-To:
Sender: david@humanright-watch.org
Message-ID:
From: =?utf-8?B?5by16Iux?=
To: XXXXXXXXXXXXXXX
Subject: =?utf-8?B?6Zec5pa8RUlESFLpoIXnm64=?=
Date: Fri, 28 May 2010 14:31:10 +0800

Hostname:    180.98.74.10
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
State/Region:    Jiangsu
City:    Suzhou


-
File EIDHR.xls received on 2010.06.02 04:13:50 (UTC)
http://www.virustotal.com/analisis/8b8960a855603393190152439c64ac9fd16655b304d472ecb83422900369a266-1275452030
Result: 17/41 (41.47%)
a-squared    5.0.0.26    2010.06.02    Trojan-Dropper.MSExcel.Agent!IK
AntiVir    8.2.1.242    2010.06.01    TR/Drop.MSExcel.Agent.BC
Antiy-AVL    2.0.3.7    2010.06.01    Trojan/MSExcel.Agent
Authentium    5.2.0.5    2010.06.02    MSExcel/Dropper.B!Camelot
BitDefender    7.2    2010.06.02    Exploit.D-Encrypted.Gen
F-Secure    9.0.15370.0    2010.06.02    Exploit.D-Encrypted.Gen
GData    21    2010.06.02    Exploit.D-Encrypted.Gen
Ikarus    T3.1.1.84.0    2010.06.02    Trojan-Dropper.MSExcel.Agent
Jiangmin    13.0.900    2010.05.31    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.02    Trojan-Dropper.MSExcel.Agent.bc
McAfee-GW-Edition    2010.1    2010.06.02    Heuristic.BehavesLike.Exploit.X97.CodeExec.EBEB
Norman    6.04.12    2010.06.01    ShellCode.B
nProtect    2010-06-01.02    2010.06.01    Exploit.D-Encrypted.Gen
PCTools    7.0.3.5    2010.06.02    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.02    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV
TrendMicro-HouseCall    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV
Additional information
File size: 64166 bytes
MD5...: 4f681733fd9e473c09f967fa87c9faef

Excel successfully opens, displaying hello, and a Chinese font set as default. The properties show that it was created on a Lenovo (Beijing) Limited laptop.

Files created

  1. D52EF63FDC5C5452D9DA23BD6D4BF0F5 %userprofile%\Local Settings\Temp\1001.tmp11kb  0/41 Virustotal
  2. D52EF63FDC5C5452D9DA23BD6D4BF0F5 C:\WINDOWS\ntshrui.dll  11kb  0/41 Virustotal
  3. A363ABE09A44176386C50EE887359270 %userprofile%\Local Settings\Temp\set.xls  17kb  -clean spreadsheet you see above




Monday, May 24, 2010

some APT malware samples

 This post is to be continued...


and more



Helper.dll and Helper.exe - Presumably password loggers

C:\windows\system32

 Download helper.exe helper.sys as a password protected archive (contact me if you need the password)


File helper.exe received on 2010.05.06 03:07:02 (UTC)
Result: 1/41 (2.44%)
Sunbelt    6265    2010.05.06    BehavesLike.Win32.Malware (v)
File size: 49152 bytes
MD5...: cf795574914ac35c5a13f1fdeed9dcda

File helper.sys received on 2010.05.06 03:24:10 (UTC)
Result: 3/41 (7.32%)
a-squared    4.5.0.50    2010.05.06    Trojan-PWS.Perfloger!IK
AVG    9.0.0.787    2010.05.05    PSW.Perfloger.DJ
Ikarus    T3.1.1.84.0    2010.05.06    Trojan-PWS.Perfloger
File size: 9600 bytes
MD5   : 2d366e990f5a697ef826b30337c49f01
AppMgmt.dll
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a

Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual

Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual

Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic

Malware - Blackmailer - Ransomware (warning NSFW)

Malware - Blackmailer - Ransomware (warning NSFW)
Original location hxxp://hotblondy.ru/video-loaderv2.exe
 File b4ac31487f8874a20b05f7c31eba9ca6 received on 2010.04.22 05:19:43 (UTC)
Result: 29/40 (72.50%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.04.22     Trojan.Win32.Inject!IK
AntiVir     7.10.6.169     2010.04.21     TR/Inject.alte
Avast     4.8.1351.0     2010.04.21     Win32:Malware-gen
Avast5     5.0.332.0     2010.04.21     Win32:Malware-gen
AVG     9.0.0.787     2010.04.21     Generic15.CGKN
BitDefender     7.2     2010.04.22     Trojan.Generic.3068304
CAT-QuickHeal     10.00     2010.04.22     Trojan.Inject.aknv
Comodo     4663     2010.04.22     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.04.22     Trojan.Blackmailer.1555
F-Secure     9.0.15370.0     2010.04.22     Trojan.Generic.3068304
Fortinet     4.0.14.0     2010.04.21     Malware_fam.A
GData     21     2010.04.22     Trojan.Generic.3068304
Ikarus     T3.1.1.80.0     2010.04.22     Trojan.Win32.Inject
Jiangmin     13.0.900     2010.04.20     Trojan/Inject.icg
Kaspersky     7.0.0.125     2010.04.22     Trojan.Win32.Inject.alte
McAfee     5.400.0.1158     2010.04.22     Generic.dx!hvk
McAfee-GW-Edition     6.8.5     2010.04.22     Heuristic.LooksLike.Win32.SuspiciousPE.C
Microsoft     1.5703     2010.04.21     Trojan:Win32/Trufip!rts
NOD32     5048     2010.04.21     a variant of Win32/LockScreen.FF
Norman     6.04.11     2010.04.21     W32/Inject.UIN
nProtect     2010-04-21.01     2010.04.21     Trojan/W32.Inject.367616
Panda     10.0.2.7     2010.04.21     Trj/CI.A
PCTools     7.0.3.5     2010.04.22     Trojan.Generic
Prevx     3.0     2010.04.22     Medium Risk Malware
Sophos     4.53.0     2010.04.22     Mal/Generic-A
Sunbelt     6206     2010.04.22     Trojan.Win32.Generic!SB.0
Symantec     20091.2.0.41     2010.04.22     Trojan Horse
VBA32     3.12.12.4     2010.04.19     Trojan.Win32.Inject.amif
VirusBuster     5.0.27.0     2010.04.21     Trojan.Delf.EBNJ
Additional information
File size: 367616 bytes
MD5   : b4ac31487f8874a20b05f7c31eba9ca6

Thursday, May 20, 2010

May 20 CVE-2006-2389 DOC osnov ugroz bezopas from yuduinnin@mail.ru




Download ugroz_bezopas_v_TSA.doc 3d77fe374ec8175648646ec4ce5eb2b6! as a password protected archive (contact me if you need the password)


-----Original Message-----
From: Dubinin yurij [mailto:yuduinnin@mail.ru]
Sent: Thursday, May 20, 2010 4:52 AM
To: XXXXXXXXXX
Subject: osnov ugroz bezopas v tsentra Azi



 File ugroz_bezopas_v_TSA.doc received on 2010.06.28 04:01:59 (UTC)
http://www.virustotal.com/analisis/250ff87ba85b2cb7bd04c9e4442eb08f70d5c1d555347c16addaa0d05bda8cb0-1277215255
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.06.22    MSWord/Dropper.B!Camelot
eTrust-Vet    36.1.7657    2010.06.22    Win32/Ceeban
F-Prot    4.6.1.107    2010.06.21    CVE-2006-2389
McAfee-GW-Edition    2010.1    2010.06.22    Heuristic.BehavesLike.Exploit.W97.CodeExec.PGPG
Microsoft    1.5902    2010.06.22    Exploit:Win32/Wordinvop.gen
Sophos    4.54.0    2010.06.22    Mal/OLE2SC-A
Additional information
File size: 234241 bytes
MD5...: 3d77fe374ec8175648646ec4ce5eb2b6!

Vicheck,ca analysis
https://www.vicheck.ca/malware.php?hash=3d77fe374ec8175648646ec4ce5eb2b6


Headers

Received: from mx1.euroweb.ro (HELO mx1.euroweb.ro) (193.226.61.14)
  by XXXXXXXXXXX
Received: from Dubinin?yuri (unknown [80.239.136.20])
    (Authenticated sender: rab@mb.roknet.ro)
    by mx1.euroweb.ro (Postfix) with ESMTPA id 19C36180127;
    Thu, 20 May 2010 11:51:52 +0300 (EEST)
Reply-To: "Dubinin yurij"
From: "Dubinin yurij"
To: ""XXXXXXXXXX
Subject: osnov ugroz bezopas v tsentra Azi
Date: Thu, 20 May 2010 16:52:00 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Mail_Part_1"
Message-ID: <20100520085155.19C36180127@mx1.euroweb.ro>
80.239.136.20
Hostname:    ftp.de.telia.net
ISP:    TeliaSonera AB
Organization:    Telia International Carrier
Proxy:    None detected
Type:    Corporate
Geolocation Information
Country:    Germany de flag
State/Region:    Hessen
City:    Frankfurt Am Main

Friday, May 14, 2010

Phoenix 2.0 Exploit kit

I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse.  Read this for more details and Java analysis.
The other possibility is the Crimepack. Let me know if there are others, I may post them too.


 Download  Phoenix2.zip as a password protected archive (contact me if you need the password)

   

List of included files


AdgredY.java    11895    416ff21ed3ddb4ce5665a4917964c5ce
all.js    5167    9432b83d52fc325f5bda83d58598e825  -- All listed except newplayer cve-2009-4324
deie.html    15097    a88f45102b57595d6c7b1cf2c2b4b241  --
flash.as    2746    718803346bbbed11e934c63af99c4a9f
ie.html    14939    1c8bd04644942a0f1832844ee4b44e63
newplayer.js    2595    a2344d3a54f26ae863011323a0973ac8
newplayer cve-2009-4324


Filename MD5 File Size   Extension
flash.swfC643C2B8E901E52C14A8D6CE8096E3271,645swf
all.pdf66BDB0DC68294890E359E91F1EF18D9E2,677
pdf
allv7.pdfB948321DE93582951598F3BDDDCC57352,465pdf
collab.pdfEF68F7B0018EDA2C149EF92EAAA666E22,012 CVE-2007-5659 pdf
geticon.pdf1ED11F0EEE47135067F36E73FD5E889E2,003 CVE-2009-0927pdf
libtiff.pdfE1E581CC0D817A808DC33CEB230F91B43,514 CVE-2010-0188pdf
newplayer.pdf37F28E5BE542AD2E32DA19EE5C44967C1,975 CVE-2009-4324pdf
printf.pdfAF680ECCA07B3294553F672F785545881,907 CVE-2008-2992pdf
index.jsB07E39D831F8EA3F8BCD84DCC9A60FFF14,272js
des.jar98F5ACDB21E8B8116FE5C7B4BA17D0E98,539jar
ie.html30C1A7B87C419A1427932773642FEEE714,929 CVE-2009-3867 html
index.html9939596B9BA5ECD4EE5FD648171EF01C14,462html
vistaie7.htmlE8888E4EDA75F6CE016A5FBA9BE02FA314,415html
vistan7ie8.html6D11908E6CCC01B14ED0097561853F868,747html
vistan7other.html3E4B94ED2A6ED5F7FF42165BB165A46B13,734html
xpie7.htmlEDE58120D8C76212E458898B348D2B8014,420html
xpie8.htmlA18CCEEE89E13B137C77F88688668CED8,714html
xpother.html355A809F8B5BDE1E511C628DD75CD87114,129html

Flash exploits are

CVE-2009-1869
CVE-2007-0071

PDF exploits
 CVE-2007-5659
 CVE-2009-0927
 CVE-2010-0188
 CVE-2009-4324
 CVE-2008-2992

Internet Explorer Exploits
CVE-2009-0806

Java Exploits
CVE-2009-3867
CVE-2008-5353

Let me know if i missed any

Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here 
Also, see some malware links with this exploit here





deie.html
MDAC exploit

 Flashloader - using object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html


Actionscript

IE 2010-0806




Thursday, May 13, 2010

JAVA from Crimepack

 Download   95f3ec9b3bb5e1792fd604eb6a0b5af0 gsb50  as a password protected archive (contact me if you need the password)


I think, correct me if I am wrong, this exploit was available in Crimepack since at least 2.2.1 , not sure if this is from 2.2.1 or 2.8


File gsb50 received on 2010.05.14 02:44:37 (UTC)
http://www.virustotal.com/analisis/44916e0b40e2b8709a89f1209cceffab9a9bf8e26296ff85236cadd7d7a76258-1273805077
Result: 18/40 (45%)
AhnLab-V3    2010.05.14.00    2010.05.13    JAVA/Exploit
AntiVir    8.2.1.242    2010.05.13    EXP/Java.WebStart
Antiy-AVL    2.0.3.7    2010.05.13    Exploit/Java.CVE-2009-3867
AVG    9.0.0.787    2010.05.13    Generic2_c.XRX
DrWeb    5.0.2.03300    2010.05.14    Exploit.Java.27
eSafe    7.0.17.0    2010.05.13    Win32.Exploit.ByteVe
Ikarus    T3.1.1.84.0    2010.05.14    Exploit.Java.WebStart
Kaspersky    7.0.0.125    2010.05.14    Exploit.Java.CVE-2009-3867.b
McAfee    5.400.0.1158    2010.05.14    Exploit-ByteVerify
McAfee-GW-Edition    2010.1    2010.05.13    Exploit-ByteVerify
NOD32    5113    2010.05.13    OSX/Exploit.Smid.B
Norman    6.04.12    2010.05.13    JAVA/CrimePack.gen
PCTools    7.0.3.5    2010.05.14    Trojan.Generic
Sophos    4.53.0    2010.05.14    Exp/WebStart-A
Sunbelt    6301    2010.05.14    Trojan.Java.Webstart.a (v)
Symantec    20101.1.0.89    2010.05.14    Trojan Horse  -laconic, as usual .. but nothing wrong with it, this covers most them anyway (M)
TrendMicro    9.120.0.1004    2010.05.13    JAVA_WEBSTART.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    JAVA_WEBSTART.A
Additional information
File size: 2909 bytes
MD5...: 95f3ec9b3bb5e1792fd604eb6a0b5af0


Malware files rasauto16.dll and rasauto32.dll Remote Access Auto Connection Manager service - Backdoor

Update May 13 - added Rasauto32.dll

rasauto16.dll

Download 
rasauto16.dll 15138604260b1d27f92bf1ec6468b326 +
rasauto16.dll 80ca8b948409138be40ffbc5d6d95ef1 

Also, rasauto32.dll  995b44ef8460836d9091a8b361fde489 

  ac as a password protected archives (please contact me for the password if you need it)

Variant 1


File rasauto16.dll received on 2010.05.10 17:00:18 (UTC)
http://www.virustotal.com/analisis/bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574-1273510818
Current status: finished
Result: 3/41 (7.32%)
Result: 3/41 (7.32%)
DrWeb    5.0.2.03300    2010.05.10    BACKDOOR.Trojan - yes, it is a backdoor and was used as such
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
PCTools    7.0.3.5    2010.05.10    Trojan.Conficker.c.gen  --I don't think so.
Additional information
File size: 107008 bytes
MD5   : 15138604260b1d27f92bf1ec6468b326
SHA1  : 7cd0faddaf926573be91f725b07865c14dd44254
SHA256: bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574
PEInfo: PE Structure information
entrypointaddress.: 0x12B83
timedatestamp.....: 0x4B566B52 (Wed Jan 20 03:32:50 2010)


 file dated just like other files on the system

rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll

TCP traffic

 202.175.83.10:443
z83l10.static.ctm.net
ISP:CTM Internet Services
Organization:CTM Internet Services
Country:Macau
City:Macau
address: Rua da Lagos, Telecentro
address: P.O. Box 868, Taipa
address: Macau
country: MO


Variant 2


http://www.virustotal.com/analisis/0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04-1273511085
File rasauto16.dll received on 2010.05.10 17:04:45 (UTC)
Result: 4/41 (9.76%)
AntiVir    8.2.1.236    2010.05.10    TR/Spy.Gen
Comodo    4816    2010.05.10    ApplicUnwnt.Win32.AdWare.EZula.~GGC
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
Sophos    4.53.0    2010.05.10    Mal/Emogen-Y
Additional information
File size: 669696 bytes
MD5...: 80ca8b948409138be40ffbc5d6d95ef1
SHA1..: f54b24660ec8664280e999e44148457e15f5489a
SHA256: 0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04
ssdeep: 12288:CqjmOwFjklKkoTDLa77d46+HkQIwAy0WTuzjOFE:XjNwVxkofLFTjIyXTu
3O
entrypointaddress.: 0x22b03
timedatestamp.....: 0x4b679e56 (Tue Feb 02 03:39:02 2010)
machinetype.......: 0x14c (I386)

Creation and modified dates - 8/4/2004 8:00 am


rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll



Variant 3

Rasauto32.dll 
File rasauto32.dll received on 2010.05.13 16:19:29 (UTC)
http://www.virustotal.com/analisis/4da40b63c4027db5fb02e37db78da7333144809d1ddf0c86442e12d28cd7c47c-1273767569
Result: 12/41 (29.27%)
AntiVir    8.2.1.242    2010.05.13    TR/Spy.Gen
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.AMWN
GData    21    2010.05.13    Win32:Malware-gen
Jiangmin    13.0.900    2010.05.13    Trojan/Agent.drkq
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dnwh
Panda    10.0.2.7    2010.05.12    Suspicious file
Sophos    4.53.0    2010.05.13    Troj/RasSpy-Gen
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dnwh
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dnwh
Additional information
File size: 647168 bytes
MD5...: 995b44ef8460836d9091a8b361fde489







TCP traffic

202.153.103.83:443
Hostname:beta.nethost.hk
ISP:TaiKoo Place, Quarry Bay
Organization: TaiKoo Place, Quarry Bay
Country:Hong Kong
City:Central District
#1

Variant 1

 

Service

Possible displaynames and file locations
ServiceDll C:\Documents and Settings\NetworkService\1e0219eb.dll
ServiceDll C:\Documents and Settings\%user%\42ecacd.dll  - Virustotal


 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1e0219eb

Imagepath %SystemRoot%\System32\svchost.exe -k "1e0219eb"


File 1e0219eb.dll received on 2010.05.13 16:52:44 (UTC)
http://www.virustotal.com/analisis/75361b610426287685d57fb7e2947f52b1fe740cb6d3f5ac8e9c98fea0b7c7e7-1273769564
Result: 23/41 (56.10%)
a-squared    4.5.0.50    2010.05.10    Trojan.Win32.Agent!IK
AhnLab-V3    2010.05.13.01    2010.05.13    Win-Trojan/Mdmbot.30720
AntiVir    8.2.1.242    2010.05.13    TR/CryptRedol.30720.3
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.ASUL
BitDefender    7.2    2010.05.13    Trojan.CryptRedol.Gen.3
Comodo    4832    2010.05.13    UnclassifiedMalware
F-Secure    9.0.15370.0    2010.05.13    Trojan.CryptRedol.Gen.3
Fortinet    4.1.133.0    2010.05.13    W32/Agent.DXTO!tr
GData    21    2010.05.13    Trojan.CryptRedol.Gen.3
Ikarus    T3.1.1.84.0    2010.05.13    Trojan.Win32.Agent
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dxto
McAfee-GW-Edition    2010.1    2010.05.13    Artemis!E40670E6A0AD
Microsoft    1.5703    2010.05.13    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-13.01    2010.05.13    Trojan.CryptRedol.Gen.3
Panda    10.0.2.7    2010.05.13    Suspicious file
Sunbelt    6298    2010.05.13    Trojan.Win32.Generic!BT
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dxto
TrendMicro    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dxto
Additional information
File size: 30720 bytes
MD5   : e40670e6a0ad1c41211f38b92bfe436a


e40670e6a0ad1c41211f38b92bfe436a
 Variant 2
Also known as  AppMgmt.dll
 
Service
Displayname Application Management
Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual
Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual
Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic
 
 
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a


========================================================================
========================================================================



May 13 CVE-2009-3129 XLS General Hospital service from taup@msa.hinet.net

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." 

From: 陳志良 [mailto:taup@msa.hinet.net]
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls

很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食

From: Zhi-Liang Chen [mailto: taup@msa.hinet.net] Sent: Thursday, May 13, 2010 10:13 PM To: XXXX Subject: FW: Tri-Service General Hospital Health Examination Center provides health recipes. Xls Very good recipes, lots of publicity so that more people in Taiwan can be a healthy diet

 File ATT42396.xls received on 2010.05.19 11:43:29 (UTC)
http://www.virustotal.com/analisis/26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6-1274269409
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.19    MSExcel/Dropper.B!Camelot
Jiangmin    13.0.900    2010.05.19    Heur:Exploit.CVE-2009-3129
PCTools    7.0.3.5    2010.05.19    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.05.19    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
Additional information
File size: 64512 bytes
MD5...: 61a29b7d8a6c3a03a884f2f64be5ca21

header info 
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
    for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
 State/Region:    T'ai-pei


Wednesday, May 12, 2010

CVE-2009-1129 PPT 2010-05-06BMW Vision (My Dream Car) from saraswasingh@gmail.com

Interesting PPT file

Update May 12. 
An anonymous reader found it to be MS09-017 -a stack based overflow in PP7X32.dll (thank you)

Ted W. found the same (MS09-017) plus added that this ppt's exploit  overwrites one seh handler, offset is 0xF70, then jump to shellcode at offset 0x189c, the total size of the poc is 0x5400 (thank you)


 This appears to be CVE-2009-1129
CVE-2009-1129 Multiple stack-based buffer overflows in the PowerPoint 95 importer (PP7X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via an inconsistent record length in sound data in a file that uses a PowerPoint 95 (PPT95) native file format, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1128.


I have another ppt of the same kind and from the same sender, let me know if you want it, I am not going to post it.

Download
BMW.ppt and bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin  ac as a password protected archive (please contact me for the password if you need it)


Details 722efe25f0d973fbb684cc32da1f693e BMW.ppt


 


From: saraswati singh [mailto:saraswasingh@gmail.com]
Sent: Thursday, May 06, 2010 8:30 PM
To:
Subject: BMW Vision (My Dream Car) !!!!

an be your Future Goal......!
The All New ...  BMW Vision
 http://www.virustotal.com/analisis/771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792-1273205194
File BMW.ppt received on 2010.05.07 04:06:34 (UTC)
Current status: finished
Result: 5/39 (12.82%)
Antiy-AVL     2.0.3.7     2010.05.06     Trojan/MSPPoint.Agent
Authentium     5.2.0.5     2010.05.07     MSPowerPoint/Dropper.B!Camelot
Kaspersky     7.0.0.125     2010.05.07     Trojan-Dropper.MSPPoint.Agent.cp
TrendMicro     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
TrendMicro-HouseCall     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
Additional information
File size: 877670 bytes
MD5   : 722efe25f0d973fbb684cc32da1f693e

OfficeMalscanner results

bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin
XOR encrypted MZ/PE signature found at offset: 0xcf462 - encryption KEY: 0xcc




http://www.virustotal.com/analisis/db10c19f6d5da8e3f5990a371c453667a56fd2f30d8d340059528c558bea8cee-1273205940
bmw__PEFILE__OFFSET_0x5400__XOR-K  received on 2010.05.07 04:19:00 (UTC)
Result: 3/41 (7.32%)
AntiVir    8.2.1.236    2010.05.06    TR/Samsa.V
DrWeb    5.0.2.03300    2010.05.07    Trojan.Proxy.298
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.LooksLike.Win32.Samsa.I
Additional information
File size: 53248 bytes

MD5...: 9dfe33215a410362451747ecfe283802

Tuesday, May 11, 2010

May 11 CVE-2010-0188 PDF Call the Ministry of Defense from hiw11111@gmail.com

Download ATT73189.pdf aaeed3399e542e4ba881f27adabaf31f ac as a password protected archive (please contact me for the password if you need it)

Details ATT73189.pdf aaeed3399e542e4ba881f27adabaf31f 

From: yiwei huang [mailto: hiw11111@gmail.com]Sent: Tuesday, May 11, 2010 9:06 PMTo: XXXXXXSubject: Call the Ministry of DefenseSuch as the subject

-Coast Guard Department of Planning by Wei HuangTEL: 02-22399201 # 266137FAX: 02-22392936Wenshan District, Taipei City 296, Sec Xinglong



File ATT73189.pdf received on 2010.05.12 12:35:03 (UTC)
Result: 7/41 (17.08%)
Authentium    5.2.0.5    2010.05.12    JS/Pdfka.AD
Avast    4.8.1351.0    2010.05.12    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.12    PDF:CVE-2010-0188
ClamAV    0.96.0.3-git    2010.05.12    Suspect.PDF.ObfuscatedJS
GData    21    2010.05.12    PDF:CVE-2010-0188
IMicrosoft    1.5703    2010.05.12    Exploit:Win32/Pdfjsc.FI
Sophos    4.53.0    2010.05.12    Troj/PDFJs-II
Additional information
File size: 446746 bytes
MD5...: aaeed3399e542e4ba881f27adabaf31f

:CVE-2010-0188


May 11 CVE-2009-4324 PDF national policy think-tank seminars from taup@seed.net.tw

Details 2aaa2f62cadf2b0f72587b3dffaee669 0516.pdf 


http://www.virustotal.com/analisis/2a67251b0954d430f01a2150b4528e7ae8c0c98fca80a362a9ddad85d2f1f124-1273581456
 File 0516____.pdf received on 2010.05.11 04:59:52 (UTC)
Result: 6/41 (14.63%)
Avast     4.8.1351.0     2010.05.10     JS:Pdfka-AEE
Avast5     5.0.332.0     2010.05.10     JS:Pdfka-AEE
GData     21     2010.05.11     JS:Pdfka-AEE
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.ceg
Microsoft     1.5703     2010.05.11     Exploit:Win32/Pdfjsc.gen!A
Sophos     4.53.0     2010.05.11     Troj/PDFJs-GQ
Additional information
File size: 87347 bytes
MD5   : 2aaa2f62cadf2b0f72587b3dffaee669 


From: Taiwan Association of University Professors [mailto: taup@seed.net.tw]Sent: Tuesday, May 11, 2010 3:33 AMTo: XXXXXXXXXXXXXSubject: Forwarding messages: 5 / 16 (Sun) morning 10:00 ~ new national policy think-tank seminars in Taiwan - the sum of Fear: Ma anniversary of the total test administration

 Hello
 
Thank you for your enthusiastic help, I believe with your help, this event will give more power in Taiwan
Accessories for our conference information and registration form
Grateful if You help lots of publicity so that more Taiwan people can participate in the activities
The following information:
 
Sum of All Fears: Ma anniversary of the total test administration
Time: May 16, 2010 (Sun) 10:00-12:00 AM
Venue: National Taiwan University Conference Center brainstorming - Socrates Hall (Taipei, Taiwan No. 85, B1)
Sponsor: New policy think tank in Taiwan
Rundown:
Time
Agenda
09:30-10:00
Registration
10:00-10:20
Sponsored Message
Koo Kuan-min (the new chairman of Taiwan's national policy think tank)
10:20-11:10
Roundtable
Moderator:
Wu Rong-i (the new national policy think tank in Taiwan Vice Chairman)
Panelists:
Lo Chih-cheng (new Taiwan policy think tank CEO) - governance capacity
Joseph Wu (Fellow, International Relations, National Chengchi University) - Foreign and cross-strait policy
To Kai Lin (Taiwan University Professor of Economics) - general economic and cross-
Liu Jinxing (Taiwan Technology University) - the problem of unemployment and the gap between rich and poor
Lin (is (the Judicial Reform Foundation executive director) - democracy and the rule of law and human rights
11:10-11:40
Q & A
11:40-12:00
Summary
   
You are welcome to participate for free!!!
 
===========================
Taiwan Brain Trust
The new policy think tank in Taiwan Co., Ltd. (24482082)
Hengyang Road, Jhongjheng District, Taipei City 10045 51 3 F
Chief Commissioner of the Department of Planning Wuyi Juan
TEL :02-2313-1456 ext 23
Fax :02-2313-1599
E-mail: yvonne@braintrust.tw 

 Header info
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr15.hinet.net (8.9.3/8.9.3) with ESMTP id PAA20620
    for XXXXXX; 
Tue, 11 May 2010 15:33:20 +0800 (CST)
Reply-To: taup@seed.net.tw
From: "=?BIG5?B?u0/GV7HQscKo87d8?="

 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
State/Region:    T'ai-pei
City:    Taipei

Monday, May 10, 2010

May 10 CVE-2009-3129 XLS schedule of the defense industry evaluation from 0922750173@mail.ahccddi.org.tw


 Download  d4b98bda9c3ae0810a61f95863f4f81e  ATT39755.xls and all the files described below as a password protected archive (contact me if you need the password) 


From: ¤u¦X•|³ø [mailto:0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99下半年國防工業評鑑日期表

檢送99下半年國防工業評鑑日期表文件乙份,請查照!
                 蕭名槐  敬上
From: ¤ u | X • | ³ ø [mailto: 0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99 in the second half schedule of the defense industry evaluation

                                                                       Sincerely, Huai Hsiao

Headers
Received: (qmail 314 invoked from network); 10 May 2010 13:54:05 -0000
Received: from mailsnd3.chollian.net (HELO mailsnd3.chol.com) (203.252.1.124)
  by XXXXXXXXXXXXXXXXXXXwith SMTP; 10 May 2010 13:54:05 -0000
Received: (qmail 2745 invoked from network); Mon, 10 May 2010 22:53:58 +0900 (KST)
Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd3.chol.com with ESMTP;
 Mon, 10 May 2010 22:53:58 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@0922750173212af2ce2>
From: "?u?X?|??" <0922750173@mail.ahccddi.org.tw>
To: XXXXXXXXXXXXXXXXXX
Subject: =?big5?B?OTmkVaVipn6w6qi+pHW3frX7xbKk6bTBqu0=?=
Date: Mon, 10 May 2010 21:37:50 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CAF089.0C84DC60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

202.65.223.202
Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
ISP:    Genesis Net Limited
Organization:    Tsuen Wan
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong
 City:    Central District


  File ATT39755.xls received on 2010.06.03 11:27:14 (UTC)
http://www.virustotal.com/analisis/616b561b49258346ead431e34fb1925e2dbc11fb4620083efae92d7ed8e5333c-1275564434
Result: 7/41 (17.08%)
Jiangmin    13.0.900    2010.06.03    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.03    Trojan-Dropper.MSExcel.Agent.bc
Heuristic.BehavesLike.Exploit.X97.CodeExec.FFLG
PCTools    7.0.3.5    2010.06.03    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.03    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
Additional information
File size: 72192 bytes
MD5...: d4b98bda9c3ae0810a61f95863f4f81e


 Files created
%Userprofile%\LOCALS~1\Temp\wuauclt.exe  
 File: wuauclt.exe  Size: 31232   MD5:  D037500368207625E3FFEE16C50D60A7
%Userprofile%\LOCALS~1\Temp\ ATT39755.xls
File: ATT39755.xls Size: 13824 MD5:  75B495C8324C4DCF5A0B2CFCACC47971  == clean xls file

http://www.virustotal.com/reanalisis.html?1a15e1c3220e8d1800bb7b186e9d47f63aefd669cd0f1569a79982498d5d9ba6-1275579814
File wuauclt.exe-- received on 2010.06.02 00:43:59 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5802 2010.06.02 Backdoor:Win32/Ixeshe.A
Norman 6.04.12 2010.06.01 W32/Malware
TrendMicro 9.120.0.1004 2010.06.01 BKDR_IXESHE.SM
TrendMicro-HouseCall 9.120.0.1004 2010.06.02 BKDR_IXESHE.SM
Additional information
File size: 31232 bytes
MD5   : d037500368207625e3ffee16c50d60a7



 TCP traffic to 211.78.147.220

 
  Hostname:    ll-211-78-147-220.ll.sparqnet.net
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    Lill Guan Industry co., LTD
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
City:    Taichung