Showing posts with label vir-Trojan.Pidief.I. Show all posts
Showing posts with label vir-Trojan.Pidief.I. Show all posts

Thursday, April 15, 2010

Apr 15 CVE-2010-0188 PDF Obama-Taiwan relations from chuc.ling@yahoo.com

Download   5B7541F3648CC440405179CB5C194644 ATT95097.pdf as a password protected archive (please contact me for the password if you need it)


Details 5B7541F3648CC440405179CB5C194644 ATT95097.pdf 


From: chuc.ling@yahoo.com [mailto:chuc.ling@yahoo.com]
Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw:歐巴馬政府與美中台關係徵稿公告

中央研究院歐美研究所

連絡人:劉美齡
電話: (02)-37807262
Email:chucling@gate.sinica.edu.tw
      chuc.ling@yahoo.com
網頁: http://www.ea.sinica.edu.tw


Terrible machine translation:
From: chuc.ling @ yahoo.com [mailto: chuc.ling @ yahoo.com]Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw: Obama-Taiwan relations between the Government and the United States Call Notice

European and American Studies Academia Sinica

Contact: Liu MeilingTel: (02) -37807262Email: chucling@gate.sinica.edu.tw
      chuc.ling @ yahoo.comPage: http://www.ea.sinica.edu.tw

 Headers
Received: from nklvcfmk (61-221-172-73.HINET-IP.hinet.net [61.221.172.73])
    by msr14.hinet.net (8.9.3/8.9.3) with ESMTP id PAA26936
    for ; Thu, 15 Apr 2010 15:18:21 +0800 (CST)
Message-ID: <000568072135$21217268$48083130@nklvcfmk>
From: "chuc.ling@yahoo.com"
To: XXXXX
Subject: =?gb2312?B?Rnc6mlewzfFS1f64rsVjw8DW0Myo6lCCU+HnuOW5q7jm?=
Date: Thu, 15 Apr 2010 15:18:21 +0800

       Hostname:    61-221-172-73.hinet-ip.hinet.net
      ISP:    CHTD, Chunghwa Telecom Co., Ltd.
      Organization:    CHTD, Chunghwa Telecom Co., Ltd.
      Country:    Taiwan
      City:    Taipei


read more...
Posted by Mila at 11:24 PM 0 comments Tags: , , , , Links to this post

Monday, April 5, 2010

Apr 5 CVE-2010-0188 PDF with Bifrose- nov varianty evro SPO SHA from lukin@mail.ru

Download nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211 as a password protected archive (please contact me if you need the password)

Details nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211


-----Original Message-----
From: Lukin Aleksandr [mailto:lukin@mail.ru]
Sent: Monday, April 05, 2010 4:59 AM
To: XXXXXXXXXX
 Subject: nov varianty evro SPO SHA


 




Virustotal
http://www.virustotal.com/analisis/12112cd97c7fb05f8b4719ce70f49e9ebab815cc11fab4263255c93e3455a659-1270562041
 File nov_varianty_evro_SPO_SHA.pdf received on 2010.04.06 13:54:01 (UTC)
Result: 2/39 (5.13%)
Sophos    4.52.0    2010.04.06    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.04.06    Trojan.Pidief.I
File size: 220944 bytes
MD5...: 176fa5b6dbc10b78a6f21c18f2e4d211


read more...
Posted by Mila at 1:21 PM 0 comments Tags: , , , , , Links to this post

Wednesday, March 31, 2010

Mar 31 CVE-2010-0188 PDF Project done, welcome comments from adriennemissyou@gmail.com

Download cb3cb17527bfde64b455f9c5385975c8 Project.pdf as a password protected archive (please contact me if you need the password)

Details cb3cb17527bfde64b455f9c5385975c8 Project.pdf 


From: Jhang [mailto:adriennemissyou@gmail.com]
Sent: 2010-03-31 2:30 AM
To: XXXXXXXX
Subject: Project done, welcome comments







Virutotal
File project.PDF received on 2010.03.31 14:36:02 (UTC)
Result: 2/36 (5.56%)
Sophos    4.52.0    2010.03.31    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.31    Trojan.Pidief.I
File size: 87673 bytes
MD5...: cb3cb17527bfde64b455f9c5385975c8
Posted by Mila at 11:13 AM 0 comments Tags: , , , , , Links to this post

Thursday, March 25, 2010

Mar 25 CVE-2010-0188 PDF Re: conference memo from jesseandy2@gmail.com


Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

This is a fake conversation - it is a semi interesting social engineering trick.
 
From: Lee [mailto:jesseandy2@gmail.com]
Sent: Thursday, March 25, 2010 11:11 PM
To: XXXXXXXXXXXXXX
Subject: Re: conference memo

Who are you?What do you mean?.This conference memo  is nothing with me.

On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
 
Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.

Lee


Virustotal report
http://www.virustotal.com/analisis/49cefe07c61ddce14b2eea7c64a5bc2a97e29e0bbdd0cd52832a1dff0369a523-1269796247
 File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
Result: 4/42 (9.53%)
F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
PCTools    7.0.3.5    2010.03.28    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
File size: 76137 bytes
MD5...: c9c89ebc508c783defe7042eb9c0e5cc

parsed with pdf-parser.py  





read more...
Posted by Mila at 1:36 PM 0 comments Tags: , , , , , Links to this post

Wednesday, March 24, 2010

Mar 24 CVE-2010-0188 PDF rumours in N Korea2010march from coljoint@aol.com


Download 3fe225e4f42dad6a4c4863291f532dd2 rumours_in_N_Korea2010march.pdf as a password protected archive (please contact me if you need the password) 

Details 3fe225e4f42dad6a4c4863291f532dd2 rumours_in_N_Korea2010march.pdf 

From: coljoint@aol.com [mailto:coljoint@aol.com]
Sent: Wednesday, March 24, 2010 9:30 AM
To: coljoint@aol.com
Subject: rumours in N Korea2010march
Importance: Low

Hi:
Some rumours suggested that the recent currency reform was associated with Kim Jong-eun.  The attachments are dealt greatly with succession issues and situation in N Korea.
   Best regards
File rumours_in_N_Korea2010march.pdf received on 2010.03.30 11:43:02 (UTC)
http://www.virustotal.com/analisis/038c36b2f2f4404828a4c5881037d7be5e3373a4ab1ac2e8b2c49a021d22fcf0-1269949382
Result: 4/42 (9.53%)
ClamAV    0.96.0.0-git    2010.03.30    Exploit.PDF-17840
PCTools    7.0.3.5    2010.03.30    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.30    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.30    Trojan.Pidief.I
Additional information
File size: 191651 bytes
MD5...: 3fe225e4f42dad6a4c4863291f532dd2

parsed with pdf-parser.py  



Posted by Mila at 7:54 AM 0 comments Tags: , , , , Links to this post

Mar 24 CVE--2010-0188 PDF My application from donald932@gmail.com

Download  76f7e8dc68b364abfd893f0e9340fae8 application.PDF as password protected archive. Please contact me if you need the password

Details 76f7e8dc68b364abfd893f0e9340fae8 application.PDF

From: Huang [mailto:donald932@gmail.com]
Sent: Wednesday, March 24, 2010 4:26 AM
To: XXXXXXXXXXXX
Subject: : My application

This is my application, please check it appropriate or not, and
looking forward for your reply.
Huang

Virustotal
http://www.virustotal.com/analisis/dc29830cd35d8cf60df907c101daf05ad14111fa63c8071fd8f7465be2825968-1270006579
 File application.PDF received on 2010.03.31 03:36:19 (UTC)
Result: 5/42 (11.91%)
ClamAV    0.96.0.0-git    2010.03.30    Exploit.PDF-17705
F-Secure    9.0.15370.0    2010.03.31    Exploit:W32/Pidief.CND
PCTools    7.0.3.5    2010.03.31    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.31    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.31    Trojan.Pidief.I
Additional information
File size: 57116 bytes
MD5...: 76f7e8dc68b364abfd893f0e9340fae8





%user%\Local Settings\Temp\application.PDF
%user%\Local Settings\Temp\temp.tmp
%user%\Local Settings\Temp\xxx.exe
%user%\Temp\~.exe
%user%\help.dll



http://www.virustotal.com/analisis/60505da8832dd0f0d737e9793c8240185e00a1b44ac5ef4383e0d86bf5d97d71-1270010048
File help.dll received on 2010.03.31 04:34:08 (UTC)
Result: 4/36 (11.11%)
DrWeb 5.0.2.03300 2010.03.31 Trojan.LydraSpy.origin
Panda 10.0.2.2 2010.03.30 Suspicious file
Sophos 4.52.0 2010.03.31 Sus/Behav-113
Symantec 20091.2.0.41 2010.03.31 Suspicious.Insight
File size: 101376 bytes
MD5   : e868c642ed4040f0e6752fe427084d3d




all other files and connections are like in this post Mar 25 CVE-2010-0188 PDF Re: conference memo from jesseandy2@gmail.com




Posted by Mila at 12:56 AM 0 comments Tags: , , , , , , Links to this post

Sunday, March 14, 2010

Mar 14 CVE-2010-0188 PDF 2010 Trade Policy Agenda from irc@state.gov


From: US Embassy Bangkok's IRC [mailto:irc@state.gov]
Sent: 2010-03-14 8:29 AM
To: XXXXXXXXXXXXXX
Subject: 2010 Trade Policy Agenda

2010 Trade Policy Agenda
Washington — President Obama, in his 2010 Trade Policy Agenda sent to Congress March 1, pledged the United States will build on existing trade agreements to strengthen the global trading system and uphold American values and commitments around the world.
The agenda items highlighted by USTR include the following:
*Support and strengthen a rules-based trading system. The United States strongly supports an ambitious and balanced Doha agreement that liberalizes three core market-access areas: agriculture, goods and services.
*Enforce rights in the rules-based trading system. USTR will strengthen further monitoring and enforcement, bringing cases at the World Trade Organization (WTO) as necessary, will increase focus on nontariff barriers that hinder exports, and will fully enforce labor and environmental rights in trade agreements.
*Enhance U.S. growth, job creation and innovation. The United States will emphasize bilateral relations with emerging markets as well as with long-standing key partners, and will pursue regional engagement, particularly negotiation of a Trans-Pacific Partnership Agreement to access key markets in the Asia-Pacific for decades to come.
*Work to resolve outstanding issues with pending free trade agreements (FTAs) and build on existing agreements. Proper resolution and implementation of the pending FTAs with Panama, Colombia and South Korea can bring significant economic benefits. In 2010, USTR will continue to consult with Congress and the public and to engage with these nations to address outstanding issues. It will also strengthen relationships with current partners such as Canada, Mexico, Japan and the European Union.
*Facilitate progress on national energy and environmental goals. Good trade policy can accelerate the success of sound energy and environmental initiatives and can complement sustainable growth. USTR will support fast-tracking action with willing partners in the WTO’s work on liberalizing trade in innovative, climate-friendly goods and services through tariff reductions and other initiatives.
*Foster stronger partnerships with developing and poor nations. The Obama administration supports expanding trade opportunities to stimulate market-led growth and help improve the lives of people in the least-developed nations. Opportunities created by open markets and preferences such as the Generalized System of Preferences require complementary measures such as technical assistance and market-based and rule-of-law reforms to maximize their benefits, USTR said.


read more...
Posted by Mila at 11:10 AM 0 comments Tags: , , , , , Links to this post

Thursday, March 11, 2010

Mar 9. CVE-2010-0188 PDF+ exploit demo. Invitation.pdf- Formal invitation letter from sabrena66@yahoo.com.tw 2010-03-09

Download 50b9bee0213917e52d32d82907234aeb  invitation.pdf as a password protected archive (please contact me if you need the password) 

Details 50b9bee0213917e52d32d82907234aeb  invitation.pdf

Please see a detailed analysis of this pdf by Villy on Bugix-security.blogspot.com:
CVE-2010-0188 - Adobe Pdf LibTiff Exploit (Remote Code Execution)




From: SABRENA [mailto:sabrena66@yahoo.com.tw]
Sent: 2010-03-09 5:28 PM
To: XXX@sais-jhu.edu
Subject: formal invitation letter

attached is the copy of the formal invitation letter and response card.
Meanwhile We have send you the formal invitation letter by post
according to your correspondence address. Please check your mailbox in the
next few days.

Sincerely yours
Wang Xiaoxue


========================

CVE-2010-0188 Exploit

Here are a few details from Villy who reversed the file (thanks, Villy)
"The sample contains an embeded tiff file (with vulnerability CVE-2006-3459).
Possibly they used this code to generate the tiff file. The shellcode is in the tiff file.
http://downloads.securityfocus.com/vulnerabilities/exploits/19283.c


The following proof of concept video was created to show the exploit in action.
It was tested on Adobe Reader 9.0-9.3, on Windows XP, Vista, and Windows 7.
Windows XP with Adobe Reader 9.3.0 and below is vulnerable
Windows XP with Adobe Reader 9.3.1 is not vulnerable
Vista and Windows 7 are not vulnerable even with 9.3.0 - Adobe Reader just crashes but nothing else.

This exploit works with javascript disabled.For more details see his post at http://bugix-security.blogspot.com CVE-2010-0188 - Adobe Pdf LibTiff Exploit (Remote Code Execution)


====================





 Headers
Received: from [60.216.233.216] by web72903.mail.tp2.yahoo.com via HTTP; Wed, 10 Mar 2010 06:27:34 CST
X-Mailer: YahooMailRC/300.3 YahooMailWebService/0.8.100.260964
Date: Wed, 10 Mar 2010 06:27:34 +0800
From: SABRENA
Reply-To: SABRENA
Subject: formal invitation letter
      Hostname:    60.216.233.216 
http://www.robtex.com/ip/60.216.233.216.html#whois
      ISP:    China Unicom Shandong province network
      Organization:    China Unicom Shandong province network
      Country:    China
      State/Region:    Shandong
      City:    Jinan


Virustotal result #1 - March 9, 2010
http://www.virustotal.com/analisis/feb8ee83587c61f4f53d2b0bcd39ca7c79666d1903c3dcdc53cbff94f0c90198-1268177735
File invitation.pdf received on 2010.03.09 23:35:35 (UTC)
Result: 0/42 (0.00%)

Virustotal result #2 -March 11, 2010
File invitation.pdf received on 2010.03.11 12:47:20 (UTC)
Current status: finished
Result: 1/42 (2.38%)
Symantec     20091.2.0.41     2010.03.11     Trojan.Pidief.I
File size: 225787 bytes
MD5   : 50b9bee0213917e52d32d82907234aeb
=======================================================

 This PDF appears to deliver Poison Ivy Remote Administration tool / backdoor type of malware

The following files get created on the exploited system

%System%\pe.dll
%System%\sens32.dll
%System%2\srvlic.dll
C:\data.bIN
C:\data.exe

 %System%\pe.dll - injected in svchost process




Virustotal scans

 %System%\pe.dll  --5573689815aebfe7cbd2e3829054a5f0
 %System%\sens32.dll --5573689815aebfe7cbd2e3829054a5f0
http://www.virustotal.com/analisis/25b0a8bb9c445e8ff2f93b37ad2792894ea1ef6b9dc5c89efd08a94cf9806bbb-1268343284
Result: 12/42 (28.58%)
AntiVir    8.2.1.180    2010.03.11    TR/Dldr.Agent.9216.5
BitDefender    7.2    2010.03.11    Trojan.Downloader.Agent.ZCR
eSafe    7.0.17.0    2010.03.11    Win32.Downloader.Age
F-Secure    9.0.15370.0    2010.03.11    Trojan.Downloader.Agent.ZCR
GData    19    2010.03.11    Trojan.Downloader.Agent.ZCR
McAfee    5917    2010.03.11    Generic BackDoor!cdn
McAfee+Artemis    5917    2010.03.11    Generic BackDoor!cdn
McAfee-GW-Edition    6.8.5    2010.03.11    Trojan.Dldr.Agent.9216.5
Microsoft    1.5502    2010.03.11    Backdoor:Win32/Poison.M
Panda    10.0.2.2    2010.03.11    Suspicious file
Rising    22.38.03.04    2010.03.11    Trojan.Win32.Generic.51FAA70A
Symantec    20091.2.0.41    2010.03.11    Suspicious.Insight
Additional information
File size: 9216 bytes
MD5...: 5573689815aebfe7cbd2e3829054a5f0

%System%2\srvlic.dll
http://www.virustotal.com/analisis/54962ca9c6c1815342d3bc47608ce5df997903aa53805f636361178f6b0a6c73-1268343232

Result: 1/42 (2.39%)
Symantec    20091.2.0.41    2010.03.11    Suspicious.Insight
File size: 3072 bytes
MD5...: 346754de64df87eb7709b168d04f8daf

C:\data.bIN
http://www.virustotal.com/analisis/d6c3a05e39ff7d48e77adec5a1fad0fca1b256a171b4d863bd34884345a087d3-1268343177
Result: 0/42 (0%)
File size: 91756 bytes
MD5...: 3c924ce0fc74b39d04822f4d26640311


C:\data.exe 
http://www.virustotal.com/analisis/1b0d5103e2f621870f407bec6310069044f890a1f2a215468b09eb8182647016-1268342979

File data.EXE received on 2010.03.11 21:29:39 (UTC)
Result: 5/41 (12.2%)
McAfee+Artemis    5917    2010.03.11    Artemis!8557321BF6EC
McAfee-GW-Edition    6.8.5    2010.03.11    Heuristic.BehavesLike.Win32.CodeInjection.L
Rising    22.38.03.04    2010.03.11    Trojan.Win32.Generic.51FAA6DF
Sunbelt    5827    2010.03.11    Trojan.Win32.Generic!SB.0
Symantec    20091.2.0.41    2010.03.11    Suspicious.Insight
File size: 32768 bytes
MD5...: 8557321bf6ec39b0cb4ac9a9441d0487

TCP traffic - 202.59.152.123:443
















Information from Robtex.com 202.59.152.123




      Hostname:    idc-123-152-59-202.hkt.cc
      ISP:    First Network Communications Limited, ISP at HK
      Organization:    First Network Communications Limited, ISP at HK
      Country:    Hong Kong
      City:    Central District


Some screenshots
 Displayed PDF - note data.bIN as the name


















































Whois
http://www.robtex.com/ip/202.59.152.123.html#whois

inetnum: 202.59.152.0 - 202.59.159.255
netname: NET-FTG
descr: Forewin Telecom Group Limited
descr: ISP at HK
country: HK
admin-c: LC873-AP
tech-c: LC846-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-FTG
mnt-routes: MAINT-HK-FTG
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20060712
changed: hm-changed@apnic.net 20060901
changed: hm-changed@apnic.net 20070222
changed: hm-changed@apnic.net 20091020
source: APNIC
route: 202.59.152.0/21
descr: Forewin Telecom Group Limited, ISP at HK
origin: AS38186
mnt-by: MAINT-HK-FTG
changed: hostmaster@hkt.cc 20090306
source: APNIC
person: Edward Poon
nic-hdl: LC873-AP
e-mail: edward@hkt.cc
address: RM 6A, 25/F, Cable TV Tower
address: 9 Hoi Shing RD, Tsuen Wan
address: N.T. Hong Kong
address:
address: + Please send spam and abuse reports to
address: + < abuse@hkt.cc >
address:
phone: +852-23631363
fax-no: +852-81673882
country: HK
changed: hostmaster@hkt.cc 20091012
mnt-by: MAINT-HK-FTG
source: APNIC
person: Larry Chan
nic-hdl: LC846-AP
e-mail: ckchan@hkt.cc
address: RM 6A, 25/F, Cable TV Tower
address: 9 Hoi Shing RD, Tsuen Wan
address: N.T. Hong Kong
address:
address: + Please send spam and abuse reports to
address: + < abuse@hkt.cc >
address:
phone: +852-23631363
fax-no: +852-81673882
country: HK
changed: hostmaster@hkt.cc 20091012
mnt-by: MAINT-HK-FTG
source: APNIC


Posted by Mila at 4:57 PM 4 comments Tags: , , , , , Links to this post

Wednesday, March 10, 2010

Mar 10 CVE-2010-0188 PDF March Luncheon Invitation_FINAL from ikhtnamzels@yahoo.com

Expect code is this file to be different from code in invitation.pdf described in Mar 9. CVE-2010-0188 PDF+ exploit demo. Formal invitation letter ..


From: Isidore Klinkenborg [mailto:ikhtnamzels@yahoo.com]
Sent: Wednesday, March 10, 2010 5:34 AM
To: MKoehler-Vice President Office Marc
Subject: 2010 March Luncheon Invitation_FINAL

attached is the copy of the formal invitation letter and response card.
Meanwhile We have send you the formal invitation letter by post
according to your correspondence address. Please check your mailbox in the
next few days.

Sincerely yours
Isidore





Virustotal scans - see dynamics from 0 to 8 over the course of 7 days

March 10 
Result: 0/42 (0.00%)
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268219156

March 11
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268311817
File 2010_March_Luncheon_Invitation_FI  received on 2010.03.11 12:50:17 (UTC)
Result: 1/42 (2.38%)
Symantec     20091.2.0.41     2010.03.11     Trojan.Pidief.I
File size: 162579 bytes
MD5   : 3639f34ad463932ab8ebad3e57421a97
SHA1  : 1a8a44c122449cf586419cfc5d6f36093e175037

Update: March 17
http://www.virustotal.com/analisis/3f327ecde65a536e9f197929ecb397dda92087cef2f563573104488ea5b7a923-1268854486
 File 2010_March_Luncheon_Invitation_FI  received on 2010.03.17 08:04:19 (UTC)
Result: 8/42 (19.05%)
AhnLab-V3     5.0.0.2     2010.03.16     PDF/Exploit
AntiVir     8.2.1.180     2010.03.16     EXP/Pidief.dbj
eTrust-Vet     35.2.7368     2010.03.17     PDF/Pidief.PU
Kaspersky     7.0.0.125     2010.03.17     Exploit.Win32.Pidief.dbi
McAfee-GW-Edition     6.8.5     2010.03.16     Exploit.Pidief.dbj
Microsoft     1.5605     2010.03.17     Exploit:Win32/Pdfjsc.gen!B
Sophos     4.51.0     2010.03.17     Troj/PDFJs-II
Symantec     20091.2.0.41     2010.03.17     Trojan.Pidief.I
File size: 162579 bytes
MD5   : 3639f34ad463932ab8ebad3e57421a97

 Relevant Header info
Received: from [222.122.12.31] by web114207.mail.gq1.yahoo.com via HTTP; Wed, 10 Mar 2010 02:34:05 PST
X-Mailer: YahooMailRC/300.3 YahooMailWebService/0.8.100.260964


Robtex.com

google-analyt1cs.com point to 222.122.12.31. It is blacklisted in five lists. 
      Hostname:    222.122.12.31
      ISP:    Korea Telecom
      Organization:    Korea Telecom
      Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Neeraj from Hypersecurity blog made an analysis of this sample -
CVE-2010-0188 Adobe Reader TIFF vulnerability

Posted by Mila at 11:26 PM 0 comments Tags: , , , , Links to this post

Monday, March 8, 2010

Mar 8 CVE-2010-0188 PDF China to participate in cross-strait relations seminar from spoofed titx@oa.tku.edu.tw

Details _.pdf - cdb5e82e4d07911f9add5cdcf817e9ed


From: 國際事務與戰略研究所 [mailto:titx@oa.tku.edu.tw]
Sent: Monday, March 08, 2010 8:54 PM
To: XXXXX
Subject: 敬邀參加兩岸關系研討會

From: International Affairs and Strategic Studies [mailto: titx@oa.tku.edu.tw]Sent: Monday, March 08, 2010 8:54 PMTo: XXXXXSubject: China to participate in cross-strait relations seminar

Header info
Received: from IBM-62979760B13 ([211.75.147.173])
    by msr39.hinet.net (8.9.3/8.9.3) with ESMTP id JAA10998
    for XXXXXXXXXXX Tue, 9 Mar 2010 09:53:32 +0800 (CST)
Reply-To: titx@oa.tku.edu.tw
From: "=?BIG5?B?sOq72qjGsMi7UL7UsqSs46hzqdI=?="

      Hostname:    mx3.imedia.com.tw
      ISP:    CHTD, Chunghwa Telecom Co., Ltd.
      Organization:    Ming Siang Printing Co., Ltd.
      Country:    Taiwan
      State/Region:    T'ai-pei
      City:    Taipei


Virustotal scans
Scan 1
 File _.pdf received on 2010.03.09 16:54:40 (UTC)
http://www.virustotal.com/analisis/be7578591f45418541d1e38b9389b3e35063a1cd61c1db489bac08e944bce258-1268153680
Result: 5/42 (11.90%)
eSafe     7.0.17.0     2010.03.09     PDF.Exploit
McAfee     5914     2010.03.08     Exploit-PDF.q.gen!stream
McAfee+Artemis     5915     2010.03.09     Exploit-PDF.q.gen!stream
Microsoft     1.5502     2010.03.09     Exploit:Win32/Pidief.AY
Additional information
File size: 80199 bytes
MD5   : cdb5e82e4d07911f9add5cdcf817e9ed


Scan 2
http://www.virustotal.com/analisis/be7578591f45418541d1e38b9389b3e35063a1cd61c1db489bac08e944bce258-1269343175

 File _.pdf received on 2010.03.23 11:19:35 (UTC)
Result: 24/42 (57.15%)
a-squared    4.5.0.50    2010.03.23    Exploit.JS.Pdfka!IK
AhnLab-V3    5.0.0.2    2010.03.23    PDF/Cve-2010-0188
AntiVir    8.2.1.196    2010.03.23    EXP/Pidief.bui
Antiy-AVL    2.0.3.7    2010.03.23    Exploit/JS.Pdfka
Authentium    5.2.0.5    2010.03.23    JS/ShellCode.AM
AVG    9.0.0.787    2010.03.23    Exploit_c.DEY
BitDefender    7.2    2010.03.23    Exploit.PDF-EXE.Gen
DrWeb    5.0.1.12222    2010.03.23    Exploit.PDF.758
eSafe    7.0.17.0    2010.03.21    PDF.Exploit
eTrust-Vet    35.2.7383    2010.03.23    PDF/Pidief.PR
F-Secure    9.0.15370.0    2010.03.23    Exploit.PDF-EXE.Gen
GData    19    2010.03.23    Exploit.PDF-EXE.Gen
Ikarus    T3.1.1.80.0    2010.03.23    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.03.23    Exploit.JS.Pdfka.bui
McAfee    5928    2010.03.22    Exploit-PDF.by
McAfee+Artemis    5928    2010.03.22    Exploit-PDF.by
McAfee-GW-Edition    6.8.5    2010.03.23    Exploit.Pidief.bui
Microsoft    1.5605    2010.03.23    Exploit:Win32/Pdfjsc.gen!B
Rising    22.40.01.04    2010.03.23    Hack.Exploit.PDF.aem
Sophos    4.51.0    2010.03.23    Troj/PDFJs-II
Sunbelt    6031    2010.03.22    Exploit.PDF.CVE-2010-0806 (v)  - nope, it is not (M)
Symantec    20091.2.0.41    2010.03.23    Trojan.Pidief.I
TrendMicro    9.120.0.1004    2010.03.23    TROJ_PDFKA.AR
VirusBuster    5.0.27.0    2010.03.22    JS.Crypt.UQBF
Additional information
File size: 80199 bytes
MD5...: cdb5e82e4d07911f9add5cdcf817e9ed


Wepawet
benign
http://wepawet.cs.ucsb.edu/view.php?hash=cdb5e82e4d07911f9add5cdcf817e9ed&type=js



Posted by Mila at 7:45 AM 0 comments Tags: , , , , , , Links to this post
Subscribe to: Posts (Atom)
Home