Monday, March 28, 2011

Mar 25-28 CVE-2009-3129 XLS LES Request or Lybia Crisis from bran343@yahoo.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

 

Just a quick post without any analysis. Have fun.

  General File Information

File  CTF 2011 (MF).xls or BBC Monitoring report
MD5  b4c83c1bfa52e8606ddc306625938c21
File size : 
65559 bytes
Type:  XLS
Distribution: Email Attachment


Download

Original Message

 
From: Brandy R [mailto:bran343@yahoo.com]
Sent: Friday, March 25, 2011 5:26 AM
Subject: Fw: LES Request

Good morning,

Please find attached the LES's you requested.

Thank you and have a good day,

Christina Donald
Contractor, MPSC Systems Analyst ARNG Financial Services Center NGB -ARC-F
ATTN: NGB-ARC-F (Column 118D)
Finance Support Team Indianapolis
1-877-ARNGPAY (1-877-276-4729)
FAX CML 317-510-7017 
EMAIL 2 Libya crisis
 
From: Brandy R [mailto:bran343@yahoo.com]
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis

FYI.

Message Headers

EMAIL 1 Fw: LES Request

Received: (qmail 5543 invoked from network); 25 Mar 2011 09:26:12 -0000
Received: from web120112.mail.ne1.yahoo.com (HELO web120112.mail.ne1.yahoo.com) (98.138.85.159)
  by XXXXXXXXXXXXXXXXXXwith SMTP; 25 Mar 2011 09:26:12 -0000
Received: (qmail 27995 invoked by uid 60001); 25 Mar 2011 09:26:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301045172; bh=Q62Ncyt0FmiR48qzSD2tYeVDQS315MhWUx3E6d4ifJE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=X2I4ntxH/Fnul07T0st7CxQxfEX5Z6WewIv4veR5FX6ZKDioiQCxxLmvlFR/nRcScQgUWImSHirG2jMFJDig3Lp3urcsL1nRW14a0uo6cLySG+0KGvUxErwQfOPanoimt6cFe3T4wb+/gZLHKp7rpdEp2FCupPEYs+Dy4QkIbLg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=yEOAl0r6EEbTisJcFejV8CFR38jDRwyX/JEMmQCtD0C//+gadqMg1lSADpI8/KQieDqj5/U50GVuY26xGBA3XB0LstVa88F9ib1UiB53eLB9+7+5iye3vJa3TlZHOvw56KMsD93wp4OUnn9KWGQEyEvsXyzV5ilQK9KmjdCW0x0=;
Message-ID: <126300.8410.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: OFUzx_AVM1n91t0zEacsTpDPyCacKf2bDHKoqB6Vn3hPfTd
 IqUqiUZjNAJvjU.tBh7Y08mchb1DO6XwlWqlesWY6RC1xTnjPd16nUJfGWwR
 Tuc9T.IQ3FpvpU0JBRq_l6KbOgoSsEVKnJmkkbrAZiNnN2Rt.4Ly9h4H.ZWP
 LLFpLCn_yKWiQmmaTUXHNS4JTcJ_rU3VnM5Df3CT1HA8Y_nrHrMhWI5m3F46
 tFQJvqGN0cORcXWmMhaQf8Rpikw7BY1uTWAd5S8Akf..VeQyvCrFedOPa3iV
 cdC9kTJYEuZj4.x_6wdAcgem9V0AD8K4pXrMprRdlC.cjzCoFPIXgJQyzTcQ
 IDMF3DDktcbnLDERPCsU3RgeXtQJZWVwwcqzu3NOxiOmt3IBYaVSUsUKl
Received: from [117.88.250.185] by web120112.mail.ne1.yahoo.com via HTTP; Fri, 25 Mar 2011 02:26:11 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Fri, 25 Mar 2011 02:26:11 -0700
From: Brandy R
Subject: Fw: LES Request
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-422978493-1301045171=:8410"
 EMAIL 2 Libya crisis
 Received: (qmail 31482 invoked from network); 28 Mar 2011 13:33:54 -0000
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
  by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
 kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
 ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
 KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
 D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
 SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
 _KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"

Sender

Sender EMAIL 2 Fw: LES Request
117.88.250.185Hostname:    185.250.88.117.broad.nj.js.dynamic.163data.com.cn
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
Country:    China
State/Region:    Jiangsu
Sender EMAIL 1  Libya crisis
117.88.171.49
Hostname:    49.171.88.117.broad.nj.js.dynamic.163data.com.cn
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
Country:    China
State/Region:    Jiangsu
City:    Nanjing



Automated Scans

File name:CTF 2011 (MF).xls
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301454466
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV    0.96.4.0    2011.03.30    BC.XLS.Exploit.CVE_2009_3129
Jiangmin    13.0.900    2011.03.29    Heur:Exploit.CVE-2009-3129
McAfee    5.400.0.1158    2011.03.30    Exploit-MSExcel.u
McAfee-GW-Edition    2010.1C    2011.03.29    Exploit-MSExcel.u
Microsoft    1.6702    2011.03.30    Exploit:Win32/CVE-2009-3129

Sophos    4.64.0    2011.03.30    Troj/DocDrop-S
MD5   : b4c83c1bfa52e8606ddc306625938c21

SAME MD5
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301338109
File name:BBC Monitoring reports..xls
Submission date:2011-03-28 18:48:29 (UTC)
Result:6 /43 (14.0%)



 


No comments:

Post a Comment