Showing posts with label vir-JS:Pdfka-VO. Show all posts
Showing posts with label vir-JS:Pdfka-VO. Show all posts

Thursday, January 21, 2010

Jan 21 CVE-2009-4324 Cyber Warfare and Cyber Terrorism from riroth5@gmail.com 2010-01-21 9:44 AM


Download  CB92CEFF7D73C3EC002CD42165685AA1 - Cyber Warfare and Cyber Terrorism.pdf as a password protected archive (please contact me for the password)






From: XXXXXXX
[mailto:riroth5@gmail.com]
Sent: 2010-01-21 9:44 AM
To: isabelhilton@mac.com
Subject: Cyber Warfare and Cyber Terrorism

Dear Initiative Working Group member,

We hope that you find this report thought-provoking, and look forward to receiving your comments at any time. We also
apologize if you have already received this report.

Hope it will be help for your work and also your suggestions will be appreciated.

Best regards,

XXXXX XXXXX


Director, Initiative for U.S.-China Cooperation on Energy and Climate
Asia Society, Center for U.S.-China Relations
1575 Eye St., NW, Suite 325
Washington, D.C., 20005
Phone: (202) 414-2802 (o); (571) 276-1020 (m)
Web: www.asiasociety.org 


Virustotal
http://www.virustotal.com/analisis/e72b949e21ba9743b139b0df211b3bd869d07f82bd35f4294e19e95f55d062e0-1264096140
File Cyber_Warfare_and_Cyber_Terrorism received on 2010.01.21 17:49:00 (UTC)
Result: 8/41 (19.51%)
AntiVir 7.9.1.146 2010.01.21 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.21 JS:Pdfka-VO
AVG 9.0.0.730 2010.01.21 Script/Exploit
GData 19 2010.01.21 JS:Pdfka-VO 
Kaspersky 7.0.0.125 2010.01.21 Exploit.JS.Pdfka.bex
McAfee 5867 2010.01.20 Exploit-PDF.b.gen
McAfee+Artemis 5867 2010.01.20 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.21 Script.Malicious.PDF.Gen
File size: 435947 bytes
MD5   : cb92ceff7d73c3ec002cd42165685aa1




read more...
Posted by Mila at 10:34 AM 0 comments Tags: , , , , , Links to this post

Wednesday, January 20, 2010

Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed XXXXXXXXXX@gwu.edu 20 Jan 2010 14:26:00 -0000

This is my favorite of all times, they have some nerve. I know the George Washington University did not move to China yet. Plus we already received his file yesterday.

Update Jan 21. F-Secure analysts reported that this pdf attachment (or identical file they got)  drops Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435), which gets detected as W32/PoisonIvy.NQ, aka Poison Ivy RAT.



Download 238ecf8c0aee8bfd216cf3cad5d82448 - Chinese_cyberattack.pdf as password protected archive (please contact me if you need the password)



From: XXXXXXX [mailto: XXXX@gwu.edu]
Sent: 2010-01-20 9:26 AM
To: "Undisclosed-Recipient:;"
Subject: Chinese cyberattack

Colleagues,

Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.

If you have any good idea / comments,  are warmly welcome to feedback.

Best,

David




Received: (qmail 4722 invoked from network); 20 Jan 2010 14:26:00 -0000
Received: from sideq01.attnet.ne.jp (HELO sideq01.attnet.ne.jp) (165.76.72.11)
  by XXXXXXXXXXXXXXXXX
Received: by sideq01.attnet.ne.jp (8.12.11/ver5(11/20/06)) id o0KEPwZv027218; Wed, 20 Jan 2010 23:25:58 +0900
Received: from virus05.attnet.ne.jp (virus05 [10.10.13.25])
    by purify-out01.attnet.ne.jp (Postfix) with ESMTP id 127D333642
    for XXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:58 +0900 (JST)
Received: from purify05.attnet.ne.jp (purify.attnet.ne.jp [165.76.8.44])
    by virus05.attnet.ne.jp (Postfix) with ESMTP id A7F8635C46
    for XXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:57 +0900 (JST)
Received: from jhc.co.jp (www.jhc.co.jp [202.211.150.106])
    by purify05.attnet.ne.jp (Postfix) with SMTP id 09AF434002
    for XXXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:52 +0900 (JST)
Received: (qmail 11732 invoked from network); 20 Jan 2010 23:25:46 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@222.95.43.226)
  by www.jhc.co.jp with SMTP; 20 Jan 2010 23:25:46 +0900
Message-ID:
From: "Shambaugh, David"
To: <"Undisclosed-Recipient:;">
Subject: Chinese cyberattack
Date: Wed, 20 Jan 2010 15:25:45 +0100

Hostname: 222.95.43.226
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Cable/DSL
Country: China  
City: Nanjing

Virustotal



File has already been analyzed
http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1263958772


Rescan http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1264008736
File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Result: 12/41 (29.27%)
a-squared 4.5.0.50 2010.01.20 Exploit.PDF-JS!IK
AntiVir 7.9.1.146 2010.01.20 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.20 JS:Pdfka-VO
AVG 9.0.0.730 2010.01.19 Script/Exploit
BitDefender 7.2 2010.01.20 Trojan.Script.256073
F-Secure 9.0.15370.0 2010.01.20 Exploit:W32/Pidief.CKZ
GData 19 2010.01.20 Trojan.Script.256073
Ikarus T3.1.1.80.0 2010.01.20 Exploit.PDF-JS
Kaspersky 7.0.0.125 2010.01.20 Exploit.JS.Pdfka.bex
McAfee 5866 2010.01.19 Exploit-PDF.b.gen
McAfee+Artemis 5866 2010.01.19 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.20 Script.Malicious.PDF.Gen
Additional information
File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448


Wepawet detects it under a different name
 http://wepawet.iseclab.org/view.php?hash=238ecf8c0aee8bfd216cf3cad5d82448&type=js
from a file we scanned earlier - same MD5hash - we have a post for this one already
Sample Overview
File Obama\'s First Year in Foreign Policy.pdf
MD5 238ecf8c0aee8bfd216cf3cad5d82448
Analysis Started 2010-01-19 20:07:01
Report Generated 2010-01-19 20:12:10
Jsand 1.03.02 benign 









Posted by Mila at 1:12 PM 0 comments Tags: , , , , , , Links to this post
Subscribe to: Posts (Atom)
Home