Feb. 1 DarkMoon-B Video.exe with 222.35.137.193 from masao_tomikawas@yahoo.com 2/1/2010 2:43 AM

This is just an exe (PE32 executable for MS Windows) in zip archive. From China and connecting back to China. Not very creative.

Download Video.exe as a password protected archive (please contact me if you need the password)

• Details: a4754be7b34ed55faff832edadac61f6 - Video.exe

From: masao_tomikawas@yahoo.com [mailto:masao_tomikawas@yahoo.com]
Sent: Monday, February 01, 2010 2:43 AM
To: 
Subject: Press(Quake aid starts to arrive for desperate Haitians)
 
PORT-AU-PRINCE, Haiti (AP) - Desperately needed aid from around the world slowly made its way Thursday into Haiti, where supply bottlenecks and a leadership vacuum left rescuers scrambling on their own to save the trapped and injured and get relief supplies into the capital.
..............

see the full text in the end of the post

Headers

Received: (qmail 17548 invoked from network); 1 Feb 2010 07:43:09 -0000
Received: from unknown (HELO fisherxp-pc.domain) (218.67.128.26)
  by XXXXXXXXXXXXXX SMTP; 1 Feb 2010 07:43:09 -0000
Received: from 1428151.com ([127.0.0.1]) by 1428151.com ([127.0.0.1]) with SMTPSVC;
     Mon, 01 Feb 2010 15:43:07 +0800
Message-ID: <6dd17374c7e8d17543324b690c0db2e7@yahoo.com>
From:
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?gb2312?B?UHJlc3MoUXVha2UgYWlkIHN0YXJ0cyB0byBhcnJpdmUgZm9yIGRlcw==?=
    =?gb2312?B?cGVyYXRlIEhhaXRpYW5zKQ==?=
Date: Mon, 01 Feb 2010 15:43:07 +0800

      Hostname:    218.67.128.26
      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      City:    Tianjin

Jan 17 Trojan Darkmoon.B EXE Haiti relief from santi_nidas@yahoo.com 17 Jan 2010 13:15:02 -0800 PST

This message contains a zip attachment with  ârâfâI.exe (Darkmoon.B) and a 20100118.pdf  (containing pictures).

Download the A4754BE7B34ED55FAFF832EDADAC61F6 -Darkmoonb.zip (password protected< please contact me if you need it)


The message is in Japanese

From: santi_nidas@yahoo.com [mailto:santi_nidas@yahoo.com]
Sent: Sunday, January 17, 2010 4:15 PM
To: xxxxxxxxxxx
Subject: ハイチの救援活動が難航　７千人埋葬、時間との勝負

ハイチの救援活動が難航　７千人埋葬、時間との勝負
　【ポルトープランス共同】大地震発生から２日が経過したハイチでは１４日、現地入りした欧米の救援チームが倒壊家屋の下敷きになった被災者の捜索活動を始めるなど、国際的な救援活動が本格化した。しかし、人員や医薬品が不足し活動は難航している。

　ロイター通信によると、プレバル・ハイチ大統領は同日、地震による死者約７千人が既に墓地に埋葬されたと述べた。国連の潘基文事務総長は「発生後、７２時間が鍵だ」と述べ、時間との勝負になっていることを強調した。

　国連や米ＣＮＮテレビによると、米の救援チームが１４日朝、首都ポルトープランスで倒壊した平和維持活動（ＰＫＯ）部隊の本部ビルに下敷きになっていたエストニアの警備要員の男性（３８）を救助。現地には災害救助犬を連れたフランス隊のほか、スペイン、ドミニカ共和国などの救援チームが続々と到着、活動を始めた。事務総長は「今後、各国からさらに派遣される」と語った。

　被災地では医師、医療品不足が深刻化。国連や各国は救援物資の運搬、配布に全力を挙げる方針だ。ただ、ロイター通信によると、甚大な被害を受けたポルトープランスの空港は人員や物資を運ぶ航空機で満杯状態となり、米連邦航空局（ＦＡＡ）は米国から同空港への飛行を当面見合わせるよう指示した。



Subject: Haiti relief deadlock seven people buried in 1000, race against time
  Haiti's troubled rescue seven people buried in 1000, race against time
[Co] from a large earthquake in Port au Prince in Haiti two days after the 14th, and now he will begin his search for victims buried under collapsed houses in the West entered the local rescue team, the international relief activities in earnest. However, a lack of activity and medical personnel are faced with difficulties. 

Dec. 29 CVE-2008-3005 / MS08-043 Darkmoon RAT Excel Russia Foreign Minister Meeting from spoofed daisuke_hasegawa@mofa.go.jp Dec 2009 06:50:10 -0000

• CVE-2008-3005  Array index vulnerability in Microsoft Office Excel 2000 SP3 and 2002 SP3, and Office 2004 and 2008 for Mac allows remote attackers to execute arbitrary code via an Excel file with a crafted array index for a FORMAT record, aka the "Excel Index Array Vulnerability."
  
• MS08-043 – Critical  This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution. An attacker ... could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• Critical for Excel 2000 SP3
  Important for Excel 2002 SP3, Excel 2003 SP2, Excel 2003 SP3, Excel Viewer 2003, Excel Viewer 2003 SP3, Excel 2007, Excel 2007 SP1, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats S1, Excel Viewer, and Microsoft Office SharePoint Server 2007.

Download the infected Excel file 1229.xls plus extracted bin files as 1229+bin files.zip (password protected archive, you need to contact me for the password)

Details: 1229.xls - 0e4e3c2d84a9bc726a50b3c91346fbb1   

            

This message was received from a spoofed email address of an official at the Foreign Ministry of Japan. The message came from China, it is crafted to install a remote administration tool known as Darkmoon (similar to  ProRAT). I will post more details as soon as I can.

  12月28日、岡田大臣は、モスクワにおいて、ラヴロフ外務大臣と日露外相会談を行うと共に、ナルィシュキン大統領府長官と会談したところ、結果概要は以下のとおり。

      【ポイント】

    ●外相会談において、岡田大臣から、鳩山政権として政治と経済を車の両輪のように前進させたい、日露行動計画に基づき日露関係が進む一方、領土の帰属の問題について目に見える進展がない、領土問題について具体的な前進が図れるよう外相レベルでも努力しなくてはならない、ロシア側に帰属の問題について日本の立場を踏まえる形での対応を求めたい旨発言。

    ●ラヴロフ外相は、ロシア外交にとって日本との外交は優先事項であると説明しつつ、領土問題に関し、人為的に解決を遅らせるつもりはない、国際法及び第２次大戦の結果を踏まえる必要があると述べつつ、ロシア側の原則的立場を説明。

....................... see the full text in the end of the post. The text is actually copied from the website of the Foreign Ministry of Japan (here is the page from the Google cache)

         ------------------------------------------------
    Daisuke HASEGAWA
    International Counter-Terrorism Cooperation Division Foreign Policy Bureau, Ministry of Foreign Affairs
    TEL: 03-5501-8000 ext.4180, FAX: 03-5501-8205 daisuke_hasegawa@mofa.go.jp