May 10 CVE-2009-3129 XLS schedule of the defense industry evaluation from 0922750173@mail.ahccddi.org.tw

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." 

 Download  d4b98bda9c3ae0810a61f95863f4f81e  ATT39755.xls and all the files described below as a password protected archive (contact me if you need the password) 

From: ¤u¦X•|³ø [mailto:0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99下半年國防工業評鑑日期表

檢送99下半年國防工業評鑑日期表文件乙份,請查照!
                 蕭名槐  敬上

From: ¤ u | X • | ³ ø [mailto: 0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99 in the second half schedule of the defense industry evaluation

                                                                       Sincerely, Huai Hsiao

Headers

Received: (qmail 314 invoked from network); 10 May 2010 13:54:05 -0000
Received: from mailsnd3.chollian.net (HELO mailsnd3.chol.com) (203.252.1.124)
  by XXXXXXXXXXXXXXXXXXXwith SMTP; 10 May 2010 13:54:05 -0000
Received: (qmail 2745 invoked from network); Mon, 10 May 2010 22:53:58 +0900 (KST)Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd3.chol.com with ESMTP;
 Mon, 10 May 2010 22:53:58 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@0922750173212af2ce2>
From: "?u?X?|??" <0922750173@mail.ahccddi.org.tw>
To: XXXXXXXXXXXXXXXXXX
Subject: =?big5?B?OTmkVaVipn6w6qi+pHW3frX7xbKk6bTBqu0=?=
Date: Mon, 10 May 2010 21:37:50 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CAF089.0C84DC60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

202.65.223.202

Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
ISP:    Genesis Net Limited
Organization:    Tsuen Wan
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong
 City:    Central District

  File ATT39755.xls received on 2010.06.03 11:27:14 (UTC)
http://www.virustotal.com/analisis/616b561b49258346ead431e34fb1925e2dbc11fb4620083efae92d7ed8e5333c-1275564434
Result: 7/41 (17.08%)
Jiangmin    13.0.900    2010.06.03    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.03    Trojan-Dropper.MSExcel.Agent.bc
Heuristic.BehavesLike.Exploit.X97.CodeExec.FFLG
PCTools    7.0.3.5    2010.06.03    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.03    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
Additional information
File size: 72192 bytes
MD5...: d4b98bda9c3ae0810a61f95863f4f81e

 Files created

%Userprofile%\LOCALS~1\Temp\wuauclt.exe  

 File: wuauclt.exe  Size: 31232   MD5:  D037500368207625E3FFEE16C50D60A7

%Userprofile%\LOCALS~1\Temp\ ATT39755.xls

File: ATT39755.xls Size: 13824 MD5:  75B495C8324C4DCF5A0B2CFCACC47971  == clean xls file

http://www.virustotal.com/reanalisis.html?1a15e1c3220e8d1800bb7b186e9d47f63aefd669cd0f1569a79982498d5d9ba6-1275579814
File wuauclt.exe-- received on 2010.06.02 00:43:59 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5802 2010.06.02 Backdoor:Win32/Ixeshe.A
Norman 6.04.12 2010.06.01 W32/Malware
TrendMicro 9.120.0.1004 2010.06.01 BKDR_IXESHE.SM
TrendMicro-HouseCall 9.120.0.1004 2010.06.02 BKDR_IXESHE.SM
Additional information
File size: 31232 bytes
MD5   : d037500368207625e3ffee16c50d60a7



 TCP traffic to 211.78.147.220

 
  Hostname:    ll-211-78-147-220.ll.sparqnet.net
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    Lill Guan Industry co., LTD
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
City:    Taichung

Mar 24 CVE-2008-0081 XLS 2010_ beauty calendar from navy_kidds@yahoo.com.tw

• CVE-2008-0081 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490.

Download 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls as a password protected archive (please contact me if you need the password)

• Details 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls

2010_ beauty calendar

 From: bruce Mr. [mailto:navy_kidds@yahoo.com.tw]
Sent: Wednesday, March 24, 2010 4:44 AM
To XXXXX
Subject: 2010_美女月曆
Importance: Low



 






Headers
Received: from [203.188.203.171] by t2.bullet.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:44:02 -0000
Received: from [127.0.0.1] by omp104.mail.tp2.yahoo.com with NNFMP; 24 Mar 2010 08:43:51 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 403351.51908.bm@omp104.mail.tp2.yahoo.com
      
Hostname:    omp104.mail.tp2.yahoo.com
      ISP:    TAIPEI, TAIWAN
      Organization:    TAIPEI, TAIWAN
      Country:    Taiwan
      State/Region:    T'ai-pei
      City:    Taipei


Virustotal
http://www.virustotal.com/analisis/829b04fe2362b07185694f08d25e91372d95afc9540df9247b58157a46da4c02-1269464469
 File 2010_.xls received on 2010.03.24 21:01:09 (UTC)
Result: 12/42 (28.58%)
a-squared    4.5.0.50    2010.03.24    Exploit.MSExcel.Agent!IK
Antiy-AVL    2.0.3.7    2010.03.24    Exploit/MSExcel.Agent
Authentium    5.2.0.5    2010.03.24    MSExcel/Dropper.B!Camelot
Comodo    4372    2010.03.24    UnclassifiedMalware
F-Prot    4.5.1.85    2010.03.24    File is damaged
Fortinet    4.0.14.0    2010.03.24    MSExcel/UDDesc.A!exploit.M20080081
Ikarus    T3.1.1.80.0    2010.03.24    Exploit.MSExcel.Agent
Kaspersky    7.0.0.125    2010.03.24    Exploit.MSExcel.Agent.u
McAfee    5930    2010.03.24    Exploit-MSExcel.h
McAfee+Artemis    5930    2010.03.24    Exploit-MSExcel.h
McAfee-GW-Edition    6.8.5    2010.03.24    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
File size: 109184 bytes
MD5...: 7d5b0b8274e189d406cc3374f994e441

Dec. 29 CVE-2008-3005 / MS08-043 Darkmoon RAT Excel Russia Foreign Minister Meeting from spoofed daisuke_hasegawa@mofa.go.jp Dec 2009 06:50:10 -0000

• CVE-2008-3005  Array index vulnerability in Microsoft Office Excel 2000 SP3 and 2002 SP3, and Office 2004 and 2008 for Mac allows remote attackers to execute arbitrary code via an Excel file with a crafted array index for a FORMAT record, aka the "Excel Index Array Vulnerability."
  
• MS08-043 – Critical  This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution. An attacker ... could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• Critical for Excel 2000 SP3
  Important for Excel 2002 SP3, Excel 2003 SP2, Excel 2003 SP3, Excel Viewer 2003, Excel Viewer 2003 SP3, Excel 2007, Excel 2007 SP1, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats S1, Excel Viewer, and Microsoft Office SharePoint Server 2007.

Download the infected Excel file 1229.xls plus extracted bin files as 1229+bin files.zip (password protected archive, you need to contact me for the password)

Details: 1229.xls - 0e4e3c2d84a9bc726a50b3c91346fbb1   

            

This message was received from a spoofed email address of an official at the Foreign Ministry of Japan. The message came from China, it is crafted to install a remote administration tool known as Darkmoon (similar to  ProRAT). I will post more details as soon as I can.

  12月28日、岡田大臣は、モスクワにおいて、ラヴロフ外務大臣と日露外相会談を行うと共に、ナルィシュキン大統領府長官と会談したところ、結果概要は以下のとおり。

      【ポイント】

    ●外相会談において、岡田大臣から、鳩山政権として政治と経済を車の両輪のように前進させたい、日露行動計画に基づき日露関係が進む一方、領土の帰属の問題について目に見える進展がない、領土問題について具体的な前進が図れるよう外相レベルでも努力しなくてはならない、ロシア側に帰属の問題について日本の立場を踏まえる形での対応を求めたい旨発言。

    ●ラヴロフ外相は、ロシア外交にとって日本との外交は優先事項であると説明しつつ、領土問題に関し、人為的に解決を遅らせるつもりはない、国際法及び第２次大戦の結果を踏まえる必要があると述べつつ、ロシア側の原則的立場を説明。

....................... see the full text in the end of the post. The text is actually copied from the website of the Foreign Ministry of Japan (here is the page from the Google cache)

         ------------------------------------------------
    Daisuke HASEGAWA
    International Counter-Terrorism Cooperation Division Foreign Policy Bureau, Ministry of Foreign Affairs
    TEL: 03-5501-8000 ext.4180, FAX: 03-5501-8205 daisuke_hasegawa@mofa.go.jp