Showing posts with label - MS EXCEL 2002 SP3. Show all posts
Showing posts with label - MS EXCEL 2002 SP3. Show all posts

Thursday, May 13, 2010

May 13 CVE-2009-3129 XLS General Hospital service from taup@msa.hinet.net

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." 

From: 陳志良 [mailto:taup@msa.hinet.net]
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls

很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食

From: Zhi-Liang Chen [mailto: taup@msa.hinet.net] Sent: Thursday, May 13, 2010 10:13 PM To: XXXX Subject: FW: Tri-Service General Hospital Health Examination Center provides health recipes. Xls Very good recipes, lots of publicity so that more people in Taiwan can be a healthy diet

 File ATT42396.xls received on 2010.05.19 11:43:29 (UTC)
http://www.virustotal.com/analisis/26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6-1274269409
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.19    MSExcel/Dropper.B!Camelot
Jiangmin    13.0.900    2010.05.19    Heur:Exploit.CVE-2009-3129
PCTools    7.0.3.5    2010.05.19    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.05.19    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
Additional information
File size: 64512 bytes
MD5...: 61a29b7d8a6c3a03a884f2f64be5ca21

header info 
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
    for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
 State/Region:    T'ai-pei


read more...
Posted by Mila at 7:47 AM 1 comments Tags: , , , , , , , , Links to this post

Monday, May 10, 2010

May 10 CVE-2009-3129 XLS schedule of the defense industry evaluation from 0922750173@mail.ahccddi.org.tw


 Download  d4b98bda9c3ae0810a61f95863f4f81e  ATT39755.xls and all the files described below as a password protected archive (contact me if you need the password) 


From: ¤u¦X•|³ø [mailto:0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99下半年國防工業評鑑日期表

檢送99下半年國防工業評鑑日期表文件乙份,請查照!
                 蕭名槐  敬上
From: ¤ u | X • | ³ ø [mailto: 0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99 in the second half schedule of the defense industry evaluation

                                                                       Sincerely, Huai Hsiao

Headers
Received: (qmail 314 invoked from network); 10 May 2010 13:54:05 -0000
Received: from mailsnd3.chollian.net (HELO mailsnd3.chol.com) (203.252.1.124)
  by XXXXXXXXXXXXXXXXXXXwith SMTP; 10 May 2010 13:54:05 -0000
Received: (qmail 2745 invoked from network); Mon, 10 May 2010 22:53:58 +0900 (KST)Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd3.chol.com with ESMTP;
 Mon, 10 May 2010 22:53:58 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@0922750173212af2ce2>
From: "?u?X?|??" <0922750173@mail.ahccddi.org.tw>
To: XXXXXXXXXXXXXXXXXX
Subject: =?big5?B?OTmkVaVipn6w6qi+pHW3frX7xbKk6bTBqu0=?=
Date: Mon, 10 May 2010 21:37:50 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CAF089.0C84DC60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

202.65.223.202
Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
ISP:    Genesis Net Limited
Organization:    Tsuen Wan
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong
 City:    Central District

  File ATT39755.xls received on 2010.06.03 11:27:14 (UTC)
http://www.virustotal.com/analisis/616b561b49258346ead431e34fb1925e2dbc11fb4620083efae92d7ed8e5333c-1275564434
Result: 7/41 (17.08%)
Jiangmin    13.0.900    2010.06.03    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.03    Trojan-Dropper.MSExcel.Agent.bc
Heuristic.BehavesLike.Exploit.X97.CodeExec.FFLG
PCTools    7.0.3.5    2010.06.03    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.03    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
Additional information
File size: 72192 bytes
MD5...: d4b98bda9c3ae0810a61f95863f4f81e

 Files created
%Userprofile%\LOCALS~1\Temp\wuauclt.exe  
 File: wuauclt.exe  Size: 31232   MD5:  D037500368207625E3FFEE16C50D60A7
%Userprofile%\LOCALS~1\Temp\ ATT39755.xls
File: ATT39755.xls Size: 13824 MD5:  75B495C8324C4DCF5A0B2CFCACC47971  == clean xls file

http://www.virustotal.com/reanalisis.html?1a15e1c3220e8d1800bb7b186e9d47f63aefd669cd0f1569a79982498d5d9ba6-1275579814
File wuauclt.exe-- received on 2010.06.02 00:43:59 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5802 2010.06.02 Backdoor:Win32/Ixeshe.A
Norman 6.04.12 2010.06.01 W32/Malware
TrendMicro 9.120.0.1004 2010.06.01 BKDR_IXESHE.SM
TrendMicro-HouseCall 9.120.0.1004 2010.06.02 BKDR_IXESHE.SM
Additional information
File size: 31232 bytes
MD5   : d037500368207625e3ffee16c50d60a7



 TCP traffic to 211.78.147.220

 
  Hostname:    ll-211-78-147-220.ll.sparqnet.net
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    Lill Guan Industry co., LTD
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
City:    Taichung

Posted by Mila at 12:26 PM 0 comments Tags: , , , , , , , , Links to this post
Subscribe to: Posts (Atom)
Home