Wednesday, March 30, 2011

Tuesday, March 29, 2011

Mar 29 CVE-2009-3129 XLS An Interview Request from a Columbia University Student

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

 

Just a quick post without any analysis. Have fun.

  General File Information

File  Lybia.xls
MD5   7795F3C874677C8D95D070D7D40725AD
File size : 7e0e69aff159f8bb31c4e5c62228c952d3ae1fd2
Type:  XLS
Distribution: Email attachment


Download

Original Message


From: Steve Perry [mailto:steve.e.perry@gmail.com]
Sent: Tuesday, March 29, 2011 3:52 AM
To:XXXXXXXXXXXXXXX
Subject: An Interview Request from a Columbia University Student

Dear Sir,

My name is Steve Perry, and I am a student at the Columbia University Graduate School of Journalism.I was assigned to focus on current conflict in Libya and was demanded to publish it in a variety of news media outlets, which is a demand for graduation.

I learn you from the following links.
XXXXXXXXXXXXXXXXXXXXXXXXX

You are a famous expert on Middle East problems, so I request to interview your. I would be honored if you receive my interview. I have made an excel diagram including questions. I hope that when you are free, you can fill in the diagram and send it back to me. Thanks very much!

Sincerely,
Steve Perry

Message Headers

Gmail :(

Received: (qmail 32598 invoked from network); 29 Mar 2011 07:52:31 -0000
Received: from mail-ww0-f67.google.com (HELO mail-ww0-f67.google.com) (74.125.82.67)
  by           29 Mar 2011 07:52:31 -0000
Received: by wwa36 with SMTP id 36so738671wwa.6
        for ; Tue, 29 Mar 2011 00:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=9+Kwinch+3AeawaoEuQ3RtWBovUsLb0jm49x9OgIWYo=;
        b=SQdWqICrXhvehS3/U1o9etl84hC3Wq9SEcaiVOGJd40mTFWwunPj6aq4LocEmdRjGC
         eZCsghb/5uT74cuVjf4yWI4IEhNIxDF4g46aAH2vzDk4u/DKqNmXuH/t4jYYAdsExmhO
         G16W3iTR8jYQOeZqIu+XYXosOs/Mpv4VHxq+I=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=JxFV5kH+bjtpaW14GKTeoFxH4s5Pai3QJmQrQnUmP5RcMQmDTXFvzgA7sOOcPxtmlo
         0HeKcEAqZqh+MboRce6YsfRrama3ZhVPzqQoqhDovYzWUqkK0TgzaE8LvebZxaYEMP0D
         9KUb8Pt1uQEukmWxdtZabPIkKKBTkPNOjNQjw=
MIME-Version: 1.0
Received: by 10.216.68.85 with SMTP id k63mr2841503wed.35.1301385149026; Tue,
 29 Mar 2011 00:52:29 -0700 (PDT)
Received: by 10.216.166.84 with HTTP; Tue, 29 Mar 2011 00:52:28 -0700 (PDT)
Date: Tue, 29 Mar 2011 15:52:28 +0800
Message-ID:
Subject: An Interview Request from a Columbia University Student
From: Steve Perry
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed; boundary="000e0ce0b1ba86156e049f9a5758"




Automated Scans

File name:Libya.xls
http://www.virustotal.com/file-scan/report.html?id=b7949a6ac1f2bdf0010423c77740680e396f6234658b1c7574c576e8e7211c79-1301435181
Submission date:2011-03-29 21:46:21 (UTC)
ClamAV     0.96.4.0     2011.03.29     BC.XLS.Exploit.CVE_2009_3129
Commtouch     5.2.11.5     2011.03.24     MSExcel/Dropper.B!Camelot
Jiangmin     13.0.900     2011.03.29     Heur:Exploit.CVE-2009-3129
McAfee     5.400.0.1158     2011.03.29     Exploit-MSExcel.u
McAfee-GW-Edition     2010.1C     2011.03.29     Heuristic.BehavesLike.Exploit.X97.CodeExec.FFOD
Microsoft     1.6702     2011.03.29     Exploit:Win32/CVE-2009-3129
Sophos     4.64.0     2011.03.29     Troj/DocDrop-S
TrendMicro     9.200.0.1012     2011.03.29     TROJ_EXLDROP.SM
TrendMicro-HouseCall     9.200.0.1012     2011.03.29     TROJ_EXLDROP.SM
MD5   : 7795f3c874677c8d95d070d7d40725ad


 


Monday, March 28, 2011

Mar 25-28 CVE-2009-3129 XLS LES Request or Lybia Crisis from bran343@yahoo.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

 

Just a quick post without any analysis. Have fun.

  General File Information

File  CTF 2011 (MF).xls or BBC Monitoring report
MD5  b4c83c1bfa52e8606ddc306625938c21
File size : 
65559 bytes
Type:  XLS
Distribution: Email Attachment


Download

Original Message

 
From: Brandy R [mailto:bran343@yahoo.com]
Sent: Friday, March 25, 2011 5:26 AM
Subject: Fw: LES Request

Good morning,

Please find attached the LES's you requested.

Thank you and have a good day,

Christina Donald
Contractor, MPSC Systems Analyst ARNG Financial Services Center NGB -ARC-F
ATTN: NGB-ARC-F (Column 118D)
Finance Support Team Indianapolis
1-877-ARNGPAY (1-877-276-4729)
FAX CML 317-510-7017 
EMAIL 2 Libya crisis
 
From: Brandy R [mailto:bran343@yahoo.com]
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis

FYI.

Message Headers

EMAIL 1 Fw: LES Request

Received: (qmail 5543 invoked from network); 25 Mar 2011 09:26:12 -0000
Received: from web120112.mail.ne1.yahoo.com (HELO web120112.mail.ne1.yahoo.com) (98.138.85.159)
  by XXXXXXXXXXXXXXXXXXwith SMTP; 25 Mar 2011 09:26:12 -0000
Received: (qmail 27995 invoked by uid 60001); 25 Mar 2011 09:26:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301045172; bh=Q62Ncyt0FmiR48qzSD2tYeVDQS315MhWUx3E6d4ifJE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=X2I4ntxH/Fnul07T0st7CxQxfEX5Z6WewIv4veR5FX6ZKDioiQCxxLmvlFR/nRcScQgUWImSHirG2jMFJDig3Lp3urcsL1nRW14a0uo6cLySG+0KGvUxErwQfOPanoimt6cFe3T4wb+/gZLHKp7rpdEp2FCupPEYs+Dy4QkIbLg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=yEOAl0r6EEbTisJcFejV8CFR38jDRwyX/JEMmQCtD0C//+gadqMg1lSADpI8/KQieDqj5/U50GVuY26xGBA3XB0LstVa88F9ib1UiB53eLB9+7+5iye3vJa3TlZHOvw56KMsD93wp4OUnn9KWGQEyEvsXyzV5ilQK9KmjdCW0x0=;
Message-ID: <126300.8410.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: OFUzx_AVM1n91t0zEacsTpDPyCacKf2bDHKoqB6Vn3hPfTd
 IqUqiUZjNAJvjU.tBh7Y08mchb1DO6XwlWqlesWY6RC1xTnjPd16nUJfGWwR
 Tuc9T.IQ3FpvpU0JBRq_l6KbOgoSsEVKnJmkkbrAZiNnN2Rt.4Ly9h4H.ZWP
 LLFpLCn_yKWiQmmaTUXHNS4JTcJ_rU3VnM5Df3CT1HA8Y_nrHrMhWI5m3F46
 tFQJvqGN0cORcXWmMhaQf8Rpikw7BY1uTWAd5S8Akf..VeQyvCrFedOPa3iV
 cdC9kTJYEuZj4.x_6wdAcgem9V0AD8K4pXrMprRdlC.cjzCoFPIXgJQyzTcQ
 IDMF3DDktcbnLDERPCsU3RgeXtQJZWVwwcqzu3NOxiOmt3IBYaVSUsUKl
Received: from [117.88.250.185] by web120112.mail.ne1.yahoo.com via HTTP; Fri, 25 Mar 2011 02:26:11 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Fri, 25 Mar 2011 02:26:11 -0700
From: Brandy R
Subject: Fw: LES Request
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-422978493-1301045171=:8410"
 EMAIL 2 Libya crisis
 Received: (qmail 31482 invoked from network); 28 Mar 2011 13:33:54 -0000
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
  by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
 kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
 ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
 KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
 D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
 SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
 _KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"

Sender

Sender EMAIL 2 Fw: LES Request
117.88.250.185Hostname:    185.250.88.117.broad.nj.js.dynamic.163data.com.cn
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
Country:    China
State/Region:    Jiangsu
Sender EMAIL 1  Libya crisis
117.88.171.49
Hostname:    49.171.88.117.broad.nj.js.dynamic.163data.com.cn
ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
Country:    China
State/Region:    Jiangsu
City:    Nanjing



Automated Scans

File name:CTF 2011 (MF).xls
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301454466
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV    0.96.4.0    2011.03.30    BC.XLS.Exploit.CVE_2009_3129
Jiangmin    13.0.900    2011.03.29    Heur:Exploit.CVE-2009-3129
McAfee    5.400.0.1158    2011.03.30    Exploit-MSExcel.u
McAfee-GW-Edition    2010.1C    2011.03.29    Exploit-MSExcel.u
Microsoft    1.6702    2011.03.30    Exploit:Win32/CVE-2009-3129

Sophos    4.64.0    2011.03.30    Troj/DocDrop-S
MD5   : b4c83c1bfa52e8606ddc306625938c21

SAME MD5
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301338109
File name:BBC Monitoring reports..xls
Submission date:2011-03-28 18:48:29 (UTC)
Result:6 /43 (14.0%)



 


Monday, March 21, 2011

Request for samples

I don't usually post these but if you happen to have any of these samples, would you please share.
You can email them to me (milaparkour [at] gmail) or upload them here. I will make them available for download here too. Thank you!


Click to download those files that are already available. Many thanks for sharing!

All together here or separate below

0d711f2049a6004cffe447dab78cd7e5 PDF - Virustotal
fd81375f921e6723698f62477c2f9dd2 ZIP Virustotal
b79acae1e48280f1b4d52e68e8b257ba
f973c87234cfc6d29ea46580e8154a8a
6da2c0c57543836e9d65f829db4a02b6
78afb95181180b58baeb0259a9148500
76667db5b3c01946050020bb0c56b6df
de3464432bc58cc1e5c2ebf3e3182f41
af9af27bebd08ade63a380d33e16099f
43c2aad81665ddf0e585f50771a20582 PDF Virustotal  Join the mass lobby on March 10Students for a Free Tibet.pdf
b7db936e928b774ace570805bd2f19fe HLP Virustotal G20_REPORT.hlp-1 --- An excellent analysis by Shpata Skenderbeut  is here- Shpata0xFF
cee5b36d53f221227ed0336c76f3762a PDF - Virustotal  The National Military Strategy of the United States of Am[...].pdf
cfd98da8e0ba3d06410341c8c8e84570
9476ed0a007ba332b7da0a657b1608bd DOC Virustotal National situation.doc  --- An excellent analysis by Shpata Skenderbeut  is here- Shpata0xFF
c77c55cc391ff4370b7b386b73f3ccc5 PDF Virustotal Cybercrime and Cyberwar.pdf
c8581fd341459639f4e93361a1bb88e2 XLS Virustotal celebration plan.xls
53d54ffe118642102fe626649f9ffdba DOC Virustotal Impasses, Elections, and the Future of the Tibetan Issue .doc
cc380bfd97164aff5878075e78570ada  India-United States Naval Cooperation.DOC Virustotal  file-1938795_doc An excellent analysis by Shpata Skenderbeut  is here- Shpata0xFF
caba55d2efa02358b90cc9413db63b92
049675afd5c9505b9715872d499b9389 PDF Virustotal Semshook Toronto Poster.pdf   << Clean, presumably. Posted at the request of the group asking for these samples.
28f5ed6f32f3d9b800cf41c663b6c7f4 CHM Virustotal  Desperate Choices.chm
bd863aeebf90fc2b02b6bbf83060178e
fb2c262466eb364657f30f312d87f987
6484267e2e6460384e3f8698aab4a685






Tuesday, March 15, 2011

CVE-2011-0609 - Adobe Flash Player ZeroDay - Update

Common Vulnerabilities and Exposures (CVE)number


  General File Information

SAMPLE1

File   crsenvironscan.xls
MD5 4BB64C1DA2F73DA11F331A96D55D63E2
File size : 126,444 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE 2

File   survey-questions_2011.xls
MD5 4031049FE402E8BA587583C08A25221A
File size : 108032 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE 3

File   Tentative Agenda.xls
MD5 d8aefd8e3c96a56123cd5f07192b7369
File size : 123300 bytes
Type:  XLS
Distribution: Email attachment

SAMPLE4

File   Nuclear Radiation Exposure And Vulnerability Matrix.xls
MD5 7CA4AB177F480503653702B33366111F
File size :  279616 bytes
Type:  XLS
Distribution: Email attachment

Download


Download CVE-2011-0609 as a password protected archive. (Email me if you need the password)

Files included
  • CVE-2011-0609_XLS-SWF-2011-03-08_4BB64C1DA2F73DA11F331A96D55D63E2_crsenvironscan.xls
  • CVE-2011-0609_XLS-SWF_2011-03-12_4031049FE402E8BA587583C08A25221A_survey-questions_2011.xls
  • CVE-2011-0609_XLS-SWF_2010-03_d8aefd8e3c96a56123cd5f07192b7369_Tentative Agenda.xls
  • CVE-2011-0609_XLS-SWF_2011-03-17_Nuclear Radiation Exposure And Vulnerability Matrix.xls

Analysis Links

1. March 15 Villy from  BugiX - Security Research posted an interesting static analysis of the malicious sample.
Please check it out at CVE-2011-0609 - Adobe Flash Player ZeroDay

2.  March 16 CVE-2011-0609 payload a.exe analysis  http://shpata0xff.wordpress.com/2011/03/16/cve-2011-0609-payload-a-exe-analysis/

3.  March 16 Trojan.Linxder and the Flash 0-day (CVE-2011-0609)  FireEye Malware Intelligence Lab

4. March 16 Adobe Flash 0-day, China CNE Operators LoVeZ ‘em Veiled Shadows

5. March 18 Busting the APT can Wide Open  -Veiled Shadows  Very detailed and interesting post regarding connection of http://twitter.com/yuange1975 with this zero day exploit. I agree that yuange1975 on twitter is the author of the exploit or connected to the author,  but am not sure whether the real yuange1975 or 袁哥, who is known as Yuan Colombian "the hacker #1" is the author of tweets, his real English skills are much worse - check out his Full Disclosure posts. The last Sample 4 also carries Yuan.SWF (thanks to villys777 for pulling it out) , which is another link to our friend. Please note, we are talking about the author of the exploit, not the senders. The senders of the payload are those who bought 0day from "Yuange" and used it for the attack. Now, would be nice to know who they are too.

6. March 18  A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability Jeong Wook Oh & Marian Radu

7. March 19 Attack Using CVE-2011-0609 shellcode and flash analysis by Broderick(F-Secure) 

Original Message, Sender and Headers

SAMPLE1

Subject: Environmental Scan Matrix of Risk and Security Organizations

Partial headers
Received: from [75.148.254.114] by web121120.mail.ne1.yahoo.com via HTTP; Tue, 08 Mar 2011 05:57:57 PST
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.292656
Date: Tue, 8 Mar 2011 05:57:57 -0800 (PST)

SAMPLE 4

 Received: (qmail 2936 invoked from network); 17 Mar 2011 14:54:06 -0000
Received: from mail-iw0-f195.google.com (HELO mail-iw0-f195.google.com) (209.85.214.195)
  by XXXXXXXXXXXXXXXXXXX 17 Mar 2011 14:54:06 -0000
Received: by iwn19 with SMTP id 19so678003iwn.6
        for XXXXXXXXXXXXX; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=0xRgb5+/fvZxd0/qwfyRCbJDcn6ChfzZlNrsKyAv2wc=;
        b=qGVeBRR/w/6570uTsq5FFwodcGrtx2AfEjO99oW5dvgXV3mfqxhCy5Z2tEJDNOyMUx
         ptroBCJneuZvbzhbieQ+AszVNPj5iK/R74AhWrOX7Qi2bd8zYXlPquoRLsOPA/tjtiO0
         whvjpmP9PZoa0/bqKEYNXoiWY8aCvIqdTr+O0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=ad7u5tW0S8k16ETcmnMIxdWUwZdK5ImqIlb1/DJkhSycWu99llJVQEhx1E9flh6IPc
         ie6Ed9DNccVoWoKyHWby/9ZImkDKRvt3tx4gNB/0azF/PAh71ZNRdZbHGiKNiAjETmC0
         FyijnpVHFkwVMerRhj03F7VyQCCQR/hLU0uec=
MIME-Version: 1.0
Received: by 10.43.49.10 with SMTP id uy10mr1977189icb.407.1300373646197; Thu,
 17 Mar 2011 07:54:06 -0700 (PDT)
Received: by 10.231.166.139 with HTTP; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
Date: Thu, 17 Mar 2011 10:54:06 -0400
Message-ID:
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="bcaec529952141c4e3049eaed56e"



Original Message


SAMPLE 4

From: Merrie Sasaki [mailto:merrie.sasaki@gmail.com]
Sent: Thursday, March 17, 2011 10:54 AM
To: XXXXXXXXXXXXXXX
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis

The team has poured in heart and full dedication into this.
Would be grateful if you appreciate it.
      
V/r,
Merrie
      
Dr. Merrie Sasaki
Team Leader, Nuclear Materials Operation
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
21 Church Street: C2-A07M
Washington, DC 20555

Automatic Scans

File name:crsenvironscan.xl_
Submission date:2011-03-16 10:21:16 (UTC)
Result:9 /43 (20.9%)
http://www.virustotal.com/file-scan/report.html?id=350943b8187458d880cd47ed881d0695e1373d44ed55a1ff963c631173bff06a-1300270876
AhnLab-V3     2011.03.16.04     2011.03.16     Dropper/Cve-2011-0609
BitDefender     7.2     2011.03.16     Exploit.CVE-2011-0609.A
Commtouch     5.2.11.5     2011.03.16     MSExcel/Dropper.B!Camelot
DrWeb     5.0.2.03300     2011.03.16     Exploit.SWF.169
Emsisoft     5.1.0.2     2011.03.16     Exploit.CVE-2011-0609!IK
GData     21     2011.03.16     Exploit.CVE-2011-0609.A
Ikarus     T3.1.1.97.0     2011.03.16     Exploit.CVE-2011-0609
Microsoft     1.6603     2011.03.16     Trojan:Win32/Malfws.A
TrendMicro-HouseCall     9.200.0.1012     2011.03.16     TROJ_ADOBFP.B
MD5   : 4bb64c1da2f73da11f331a96d55d63e2


File name:survey-questions_2011.xls
http://www.virustotal.com/file-scan/report.html?id=454f624958298bf76c5b7ffa1509159b827856095d41672707fcf6416a818ddb-1300269042 
Submission date:2011-03-16 11:21:13 (UTC)
Current status:queued queued analysing finished
Result:13/ 43 (30.2%)
AhnLab-V3    2011.03.16.04    2011.03.16    Dropper/Cve-2011-0609
BitDefender    7.2    2011.03.16    Exploit.CVE-2011-0609.A
DrWeb    5.0.2.03300    2011.03.16    Exploit.SWF.169
Emsisoft    5.1.0.2    2011.03.16    Win32.SuspectCrc!IK
eSafe    7.0.17.0    2011.03.15    Win32.Dropper
F-Secure    9.0.16440.0    2011.03.14    Exploit:W32/XcelDrop.F
GData    21    2011.03.16    Exploit.CVE-2011-0609.A
Ikarus    T3.1.1.97.0    2011.03.16    Win32.SuspectCrc
Kaspersky    7.0.0.125    2011.03.16    Trojan-Dropper.MSExcel.SwfDrop.a
Microsoft    1.6603    2011.03.16    Trojan:Win32/Malfws.A
Symantec    20101.3.0.103    2011.03.16    Trojan.Dropper
TrendMicro    9.200.0.1012    2011.03.16    TROJ_ADOBFP.A
TrendMicro-HouseCall    9.200.0.1012    2011.03.16    TROJ_ADOBFP.A
MD5   : 4031049fe402e8ba587583c08a25221a

File name: Tentative Agenda.xls
http://www.virustotal.com/file-scan/report.html?id=db04002f898e2e8090a2cf1bb3af615d478d746f8986aef7a715e2e322abe42b-1300298219
Result: 8/ 43 (18.6%)
AhnLab-V3 2011.03.17.00 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Sophos 4.63.0 2011.03.16 Troj/XLSDrp-A
VIPRE 8722 2011.03.16 Exploit.SWF.CVE-2011-0609.a (v)
MD5   : d8aefd8e3c96a56123cd5f07192b7369 




 Nuclear Radiation Exposure And Vulnerability Matrix.xls
Submission date:2011-03-19 15:06:10 (UTC)
Result:8/ 43 (18.6%)
 http://www.virustotal.com/file-scan/report.html?id=c4ad40b6b002039fb07bd6539f9003dffb0f46440822e85198a8502a3828d3a3-1300547170
AntiVir    7.11.5.1    2011.03.18    DR/OLE.HiddenEXE.Gen
AVG    10.0.0.1190    2011.03.19    Generic21.AVXW
BitDefender    7.2    2011.03.19    Exploit.D-Encrypted.Gen
Commtouch    5.2.11.5    2011.03.19    MSExcel/Dropper.B!Camelot
F-Secure    9.0.16440.0    2011.03.19    Exploit.D-Encrypted.Gen
GData    21    2011.03.19    Exploit.D-Encrypted.Gen
McAfee    5.400.0.1158    2011.03.19    Exploit-CVE2011-0609
Sophos    4.63.0    2011.03.19    Mal/PdfExDr-B
 MD5   : 7ca4ab177f480503653702b33366111f

Mar 14 CVE-2010-3333 Disaster in Japan: Watch Report from spoofed mail@response.stratfor.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File   Disaster in Japan (Watch Report).doc
MD5 
7b3208b1dc28b2d5f7641aa212e6aabf
SHA1  8a60a2183a044bbeae90f0354acdbf6f6f052925
File size : 62464 bytes
Type:  DOC
Distribution: Email attachment


Download

Friday, March 11, 2011

ESET Nod32 false positive on Java

Update March 16, 2011.
Argh, once again, they detect java as malware. If you have a large enterprise and every user clicks "Clean", you  have a lot of computers with damaged Java. Annoying.

Anyway, it is fixed in update 5960. It will not fix the broken java or your nerves but will stop the nagging screens.

Tuesday, March 1, 2011

Feb 25 CVE-2010-3333 DOC China's Military Build-up from a compromised IBEW-NECA Joint Trust Funds account

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  China's Military Build-up in the Early Twenty-first Century
MD5   02B77C3941478A05F2EE6559E3B76FB6
SHA1 
cd7a8327dc8917d90bdbe693a310fa75a43a1ae0
File size : 214503 bytes
Type:  PDF
Distribution: Email attachment

Download

Sender: It appears that the message is not spoofed but was sent from a compromised account, which belongs to an existing employee of "The Local 26 IBEW-NECA Joint Trust Funds" located in Laurel, Maryland.

This mail server IP 69.85.28.235 is not shared by multiple customers and it was already featured by the Project Honeypot for sending phishing mail
It appears to be a hosted mail server.  Please see more information about this in the Sender section below.

Attachment: The attachment is a malicious word (RTF) document (CVE-2010-3333), with the payload described below plus a clean word document - the paper named in the subject of the message "China’s military build-up in the early twenty-first century : from arms procurement to war-fighting capability" The paper itself in pdf format is available at the Nanyang Technological University website (Singapore)

Payload: The embedded binary (Trojan.CryptRedol.Gen.3) creates a copy of itself (same MD5 each time) with a new name in %userprofile%\Local Settings, connects to an IP in Thailand, creates a registry setting to run on startup, it runs under svchost.exe.
The names match standard Windows DLL and EXE files. There are 34 (at least 40) variations possible.  Please see older files with  similar  AV detection  here

List of possible names:
    Alerter.exe
    AppMgmt.exe
    CiSvc.exe
    ClipSrv.exe
    COMSysApp.exe
    dmadmin.exe
    Dot3svc.exe
    EapHost.exe
    HidServ.exe
    hkmsvc.exe
    ImapiService.exe
    Messenger.exe
    mnmsrvc.exe
    MSDTC.exe
    MSIServer.exe
    napagent.exe
    NetDDE.exe
    NetDDEdsdm.exe
    Netlogon.exe
    NtLmSsp.exe
    NtmsSvc.exe
    ose.exe
    RasAuto.exe
    RDSessMgr.exe
    RemoteAccess.exe
    rpcapd.exe
    RpcLocator.exe
    RSVP.exe
    SwPrv.exe
    SysmonLog.exe
    TlntSvr.exe
    upnphost.exe
    UPS.exe
    VSS.exe
    WmdmPmSN.exe
    Wmi.exe
    WmiApSrv.exe
    wuauserv.exe
    xmlprov.exe