Friday, April 23, 2010

Apr 23 Link HTA w Trojan:Win32/Tapaoux.A download

Malicious HTA file in hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta
 downloads additional malware wincfg.exe Trojan:Win32/Tapaoux.A

Download   



From: Richard Wilson [mailto:richard.wilson34@hotmail.com]
Sent: Friday, April 23, 2010 7:52 AM
To: XXXXXXXXXX
Subject: Obama's New Nuclear Policies: A Step in the Right Direction


Obama's New Nuclear Policies: A Step in the Right Direction

Arms Control, Nuclear Weapons, Nonproliferation, Defense
Michael E. O'Hanlon, Director of Research and Senior Fellow, Foreign Policy

The Brookings Institution

    Documents View   (Acrobat Version 9.0 or less)


read more...
Posted by Mila at 5:16 PM 0 comments Tags: , Links to this post

Tuesday, April 20, 2010

Apr 20 CVE-2009-4324 PDF US_Taiwan_policy.pdf


 Download 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf   as a password protected archive (please contact me if you need the password)

Details 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf  

 There is no additional information about this message, except that it was sent via Gmail on 20 Apr 2010 around 6 pm PDT.

 http://www.virustotal.com/analisis/2e76eaa6bfb9d2b0fc2a68de0fc24eb901e55d8298fcda4ca1d0ad1b5f6ef3b6-1272509457
 File article_on_US_Taiwan_policy.pdf received on 2010.04.29 02:50:57 (UTC)
Result: 23/41 (56.1%)
a-squared    4.5.0.50    2010.04.29    Exploit.Win32.Pidief!IK
AntiVir    8.2.1.224    2010.04.28    HEUR/HTML.Malware
Antiy-AVL    2.0.3.7    2010.04.28    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.04.29    PDF/Obfusc.M!Camelot
Avast    4.8.1351.0    2010.04.28    JS:Pdfka-WJ
Avast5    5.0.332.0    2010.04.28    JS:Pdfka-WJ
AVG    9.0.0.787    2010.04.29    Script/Exploit
BitDefender    7.2    2010.04.29    Exploit.PDF-JS.Gen
ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-21790
eSafe    7.0.17.0    2010.04.28    Win32.Pidief.H
F-Secure    9.0.15370.0    2010.04.28    Exploit.PDF-JS.Gen
GData    21    2010.04.29    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.04.29    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.04.29    Exploit.Win32.Pidief.dcc
McAfee    5.400.0.1158    2010.04.29    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    6.8.5    2010.04.28    Heuristic.HTML.Malware
Microsoft    1.5703    2010.04.28    Exploit:Win32/Pdfjsc.FE
nProtect    2010-04-28.02    2010.04.28    Exploit.PDF-JS.Gen
Sophos    4.53.0    2010.04.29    Troj/PDFJs-FM
Sunbelt    6235    2010.04.28    Exploit.PDF-JS.Gen (v)
Symantec    20091.2.0.41    2010.04.29    Trojan.Pidief.H
TrendMicro    9.120.0.1004    2010.04.28    TROJ_PDFJS.BI
TrendMicro-HouseCall    9.120.0.1004    2010.04.29    Expl_ShellCodeSM
Additional information
File size: 82600 bytes
MD5...: 5f49a04d3738b602685207419bc0789c

CVE-2009-4324

Posted by Mila at 11:31 PM 0 comments Tags: , , , , Links to this post

Sunday, April 18, 2010

Apr 18 CVE-2010-0188 PDF China Bank Notification from bank.csc@inibr.chinatrust.com.tw

Download  10e15dd9b11528762c182b04f80e0a03 ATT13624.pdf as a password protected archive (please contact me for the password if you need it)

Details  10e15dd9b11528762c182b04f80e0a03 ATT13624.pdf


From:   [mailto:bank.csc@inibr.chinatrust.com.tw]
Sent: Sunday, April 18, 2010 10:32 PM
To: xxxxxxxxxxxxx
Subject: 中國信託提醒通知函

若您要變更電子郵件信箱,請隨時利用網路銀行進行變更→ 變更電子郵件信箱。
本提醒訊息由中國信託個人化網路銀行提供,若您對以上通知有任何問題,
歡迎來信與我聯絡或來電 02-27458080詢問,謝謝 !
From  [mailto: bank.csc @ inibr.chinatrust.com.tw]Sent: Sunday, April 18, 2010 10:32 PMTo: xxxxxxxxxxxxxSubject: China Trust to remind the notification letterIf you want to change e-mail, please feel free to use the Internet to the bank to change → change the e-mail.This reminder personal network by China Trust Bank, if you notice any of the above problemsPlease feel free to contact me or call 02-27458080 ask, thank you!

Virustotal
http://www.virustotal.com/analisis/1471f2c34d40083b574c0fa0930cba9311aa532bf7207c009b0361b7b6db8bb7-1271652690
File ATT13624.pdf received on 2010.04.19 04:24:37 (UTC)
Result: 3/40 (7.5%)
Avast    4.8.1351.0    2010.04.18    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.04.18    PDF:CVE-2010-0188
GData    19    2010.04.19    PDF:CVE-2010-0188  
File size: 132797 bytes
MD5...: 10e15dd9b11528762c182b04f80e0a03



Headers
Received: from mailsnd2.chollian.net (HELO mailsnd2.chol.com) (203.252.1.123)
  by XXXXXXXX with SMTP; 19 Apr 2010 02:44:12 -0000
Received: (qmail 31748 invoked from network); Mon, 19 Apr 2010 11:44:11 +0900 (KST)
Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd2.chol.com with ESMTP;
 Mon, 19 Apr 2010 11:44:11 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@bank.csc212af2ce2>
From: "?????H?U???~????"
To: XXXXXXXXXXX
Subject: =?big5?B?pKSw6qtIsFW0o7/0s3Gqvqjn?=
Date: Mon, 19 Apr 2010 10:31:38 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CADFAB.7FFA1D20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

   Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
      ISP:    Genesis Net Limited
      Organization:    Tsuen Wan
        Country:    Hong Kong
      City:    Central District

.It is blacklisted in three lists. 

 CVE-2010-0188






Posted by Mila at 1:01 AM 0 comments Tags: , , , Links to this post

Saturday, April 17, 2010

Apr 18 Malware Links Win32.Mepaow - RAT (Apocalypse RAT?)

hxxp://traffresearch.cn/upld/avira.exe 

Download avira.exe db553c422891aa2a3c75e0430b284719



Details avira.exe db553c422891aa2a3c75e0430b284719

http://www.virustotal.com/analisis/e451f56564ed6e0b4d82b85a450e243151f02145372bc788ba171ee42ed969d2-1271805605
File avira.exe received on 2010.04.19 01:13:41 (UTC)
Result: 14/40 (35%)
a-squared    4.5.0.50    2010.04.19    Trojan.Win32.Mepaow!IK
AntiVir    7.10.6.116    2010.04.18    TR/Mepaow.lfp
AVG    9.0.0.787    2010.04.18    Generic17.BBZB
BitDefender    7.2    2010.04.19    Trojan.Generic.KD.7531
Comodo    4641    2010.04.19    TrojWare.Win32.Mepaow.~Z
F-Secure    9.0.15370.0    2010.04.19    Trojan.Generic.KD.7531
GData    19    2010.04.19    Trojan.Generic.KD.7531
Ikarus    T3.1.1.80.0    2010.04.19    Trojan.Win32.Mepaow
Kaspersky    7.0.0.125    2010.04.19    Trojan.Win32.Mepaow.lfp
McAfee-GW-Edition    6.8.5    2010.04.18    Heuristic.BehavesLike.Win32.Trojan.L
Norman    6.04.11    2010.04.16    W32/Backdoor!gens.19256608
Panda    10.0.2.7    2010.04.18    Trj/CI.A
Prevx    3.0    2010.04.19    High Risk Cloaked Malware
Sunbelt    6193    2010.04.19    Trojan.Win32.Generic!BT
File size: 6656 bytes
MD5...: db553c422891aa2a3c75e0430b284719

Anubis Report
http://anubis.iseclab.org/?action=result&task_id=12aaece9c1f5eda341536775ed28bd2d3&format=html


It appears to be (similar to) Apocalypse RAT''
 http://www.virustotal.com/analisis/7a1399859ee132a11114eb7fe4af48efa41550bfbb88f5180dce94d8dc0de3eb-1270630158


Posted by Mila at 9:50 PM 0 comments Tags: , Links to this post

Thursday, April 15, 2010

Apr 15 CVE-2010-0188 PDF Obama-Taiwan relations from chuc.ling@yahoo.com

Download   5B7541F3648CC440405179CB5C194644 ATT95097.pdf as a password protected archive (please contact me for the password if you need it)


Details 5B7541F3648CC440405179CB5C194644 ATT95097.pdf 


From: chuc.ling@yahoo.com [mailto:chuc.ling@yahoo.com]
Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw:歐巴馬政府與美中台關係徵稿公告

中央研究院歐美研究所

連絡人:劉美齡
電話: (02)-37807262
Email:chucling@gate.sinica.edu.tw
      chuc.ling@yahoo.com
網頁: http://www.ea.sinica.edu.tw


Terrible machine translation:
From: chuc.ling @ yahoo.com [mailto: chuc.ling @ yahoo.com]Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw: Obama-Taiwan relations between the Government and the United States Call Notice

European and American Studies Academia Sinica

Contact: Liu MeilingTel: (02) -37807262Email: chucling@gate.sinica.edu.tw
      chuc.ling @ yahoo.comPage: http://www.ea.sinica.edu.tw

 Headers
Received: from nklvcfmk (61-221-172-73.HINET-IP.hinet.net [61.221.172.73])
    by msr14.hinet.net (8.9.3/8.9.3) with ESMTP id PAA26936
    for ; Thu, 15 Apr 2010 15:18:21 +0800 (CST)
Message-ID: <000568072135$21217268$48083130@nklvcfmk>
From: "chuc.ling@yahoo.com"
To: XXXXX
Subject: =?gb2312?B?Rnc6mlewzfFS1f64rsVjw8DW0Myo6lCCU+HnuOW5q7jm?=
Date: Thu, 15 Apr 2010 15:18:21 +0800

       Hostname:    61-221-172-73.hinet-ip.hinet.net
      ISP:    CHTD, Chunghwa Telecom Co., Ltd.
      Organization:    CHTD, Chunghwa Telecom Co., Ltd.
      Country:    Taiwan
      City:    Taipei


read more...
Posted by Mila at 11:24 PM 0 comments Tags: , , , , Links to this post

Apr 16 CVE-2010-0188 PDF China-Taiwan relations from m.akiyama@hotmail.co.jp

Download  75d92097d4ae109aa5d199aa97e08569 ATT70608.pdf  as a password protected archive (please contact me for the password if you need it)

Details 75d92097d4ae109aa5d199aa97e08569 ATT70608.pd



From: 秋山 昌廣 [mailto:m.akiyama@hotmail.co.jp]
Sent: Thursday, April 15, 2010 11:23 PM
To: XXXXXXXXX
Subject: 米中台関係総論


From: Akiyama Masahiro [mailto: m.akiyama @ hotmail.co.jp]
Sent: Thursday, April 15, 2010 11:23 PM
To: XXXXX
Subject:  China-Taiwan relations





Virustotal

http://www.virustotal.com/analisis/4c63aaf19effe49b2d38597150b61c42fbc9c0be883584744dae63295ec1211d-1271648028

 File ATT70608.pdf received on 2010.04.19 03:33:48 (UTC)
Result: 1/40 (2.5%)
Sophos    4.52.0    2010.04.19    Troj/PDFJs-JI  -  Looks like Sophos is doing something right (M)
Additional information
File size: 926302 bytes
MD5...: 75d92097d4ae109aa5d199aa97e08569


read more...
Posted by Mila at 12:06 AM 0 comments Tags: , , , , Links to this post

Saturday, April 10, 2010

Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

Download  Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa as a password protected archive (please contact me if you need the password)

Details Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa

Ok, let's see - the Nuclear Summit starts in DC on Monday



From: [Redacted]@yahoo.com;
Date: Sat, Apr 10, 2010 at 10:02 AM
Subject: [Redacted] Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit
To: [Redacted]

Dear Sir/Madam,

The 2010 Nuclear Posture Review (NPR) outlines the Administration’s approach to promoting the President’s agenda for reducing nuclear dangers and pursuing the goal of a world without nuclear weapons, while simultaneously advancing broader U.S. security interests.

According to the White House, the end goal of the upcoming Nuclear Security Summit 2010 will be “a communiqué pledging efforts to attain the highest levels of nuclear security, which is essential for international security as well as the development and expansion of peaceful nuclear energy worldwide.”

Accompanying this letter is the [Redacted]Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit. Please let us know whether you find it useful, and whether there is additional information you would like to see included in future editions. We very much value your support and assistance.


[Redacted address and signature]

Header info
Sender  174.139.92.6

read more...
Posted by Mila at 1:39 PM 1 comments Tags: , , , , , Links to this post

Wednesday, April 7, 2010

Apr 7 CVE-2009-4324 PDF Fwd: Matrix Report --- Earthquake from spoofed UlmanW@state.gov to fake ZaringNS@nasa.gov

 Download infected 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf as a password protected archive (please contact me if you need the password)

Details 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf

 From: Ulman, Wayne (FSI) [mailto:UlmanW@state.gov]
Sent: Wednesday, April 07, 2010 2:08 PM
To: ZaringNS@nasa.gov
Subject: Fwd: Matrix Report --- Earthquake

It's incredible!

------Original Message------
From: "Amanda DJ"
Sent: Wednesday, Apr 7, 2010 10:22 AM
To: Ulman, Wayne (FSI); "Wilson Curran"
Subject: Matrix Report --- Earthquake


2012 is coming!
It's ture!

PlS see Attachment: Matrix_Report.pdf
Sichuan Wenchuan Earthquake  5.12    (May. 12th)
Haiti Earthquake  1.12   (Jan. 12th)
Chile  Earthquake   2.27   (Feb. 27th)

Matrix:Horizontal = Vertical

5 1 2
1 1 2
2 2 7

read more...
Posted by Mila at 8:09 AM 0 comments Tags: , , , , , , , Links to this post

Monday, April 5, 2010

Apr 5 CVE-2010-0188 PDF Take Note from yumiko_iuchi@cas.go.jp

 Download  5766BA4473462485E15C4EFDB243CB68 100405.pdf as a password protected archive (please contact me if you need the password)

Details 5766BA4473462485E15C4EFDB243CB68 100405.pdf


-----Original Message-----
From: yumiko.iuchi [mailto:yumiko_iuchi@cas.go.jp]
Sent: Monday, April 05, 2010 5:24 PM
To: xxxxxxxxxx
Subject: 北極海の原稿
Importance: High


(See attached file: 100405.pdf)

...

   TEL�F03-5575-1530
   FAX: 03-5575-0090
   E-mail:  yumiko_iuchi@cas.go.jp




http://www.virustotal.com/analisis/9819bcd9564907b221457cc62de5bc96d729d7a44c63d14a4c1684f269bc8e99-1270518644
 File 100405.pdf received on 2010.04.06 01:50:44 (UTC)
Result: 7/39 (17.95%)
Avast     4.8.1351.0     2010.04.05     PDF:CVE-2010-0188
Avast5     5.0.332.0     2010.04.05     PDF:CVE-2010-0188
BitDefender     7.2     2010.04.06     Exploit.PDF-Name.Gen
F-Secure     9.0.15370.0     2010.04.05     Exploit.PDF-Name.Gen
GData     19     2010.04.06     Exploit.PDF-Name.Gen
nProtect     2009.1.8.0     2010.04.05     Exploit.PDF-Name.Gen
Sophos     4.52.0     2010.04.06     Mal/PDFEx-D
Additional information
File size: 10665 bytes
MD5   : 5766ba4473462485e15c4efdb243cb68

Headers info
Received: from unknown (HELO cas.go.jp) (117.11.158.98)
  by XXXXXXXXXXX with SMTP; 5 Apr 2010 21:23:30 -0000
Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
  with SMTP id 7EB85853; Tue, 6 Apr 2010 05:23:28 +0800
From: "yumiko.iuchi"
Subject: =?ISO-2022-JP?B?GyRCS0w2SzMkJE44NjlGGyhC?=
      Hostname:    117.11.158.98
      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      State/Region:    Tianjin
      City:    Tianjin
Robtex.com It is blacklisted in two lists. 4837



read more...
Posted by Mila at 7:45 PM 0 comments Tags: , , , , Links to this post

Apr 5 CVE-2010-0188 PDF with Bifrose- nov varianty evro SPO SHA from lukin@mail.ru

Download nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211 as a password protected archive (please contact me if you need the password)

Details nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211


-----Original Message-----
From: Lukin Aleksandr [mailto:lukin@mail.ru]
Sent: Monday, April 05, 2010 4:59 AM
To: XXXXXXXXXX
 Subject: nov varianty evro SPO SHA


 




Virustotal
http://www.virustotal.com/analisis/12112cd97c7fb05f8b4719ce70f49e9ebab815cc11fab4263255c93e3455a659-1270562041
 File nov_varianty_evro_SPO_SHA.pdf received on 2010.04.06 13:54:01 (UTC)
Result: 2/39 (5.13%)
Sophos    4.52.0    2010.04.06    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.04.06    Trojan.Pidief.I
File size: 220944 bytes
MD5...: 176fa5b6dbc10b78a6f21c18f2e4d211


read more...
Posted by Mila at 1:21 PM 0 comments Tags: , , , , , Links to this post

Friday, April 2, 2010

Challenging conventional wisdom on AV signatures by Thomas Dullien from blog.zynamics.com

Here is a great post by Thomas Dullien from Zynamics.com blog

Challenging conventional wisdom on AV signatures (Part 1 of 2)

Posted by Mila at 10:25 AM 0 comments Links to this post

Apr 2 CVE-2009-0927 CVE-2007-5659 PDF IPR in China FINAL from global.faruk@gmail.com


Download c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf as a password protected archive (contact me if you need the password)

Details c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf



From: Faruk DEMİR [mailto:global.faruk@gmail.com]
Sent: Friday, April 02, 2010 4:36 AM
To: XXXXXXXXXXXXXX
Subject: IPR in China FINAL










Virustotal
http://www.virustotal.com/analisis/816ff03f39d9d210ee3a49a61f208a4b0a8979c3d08fa9b8a17e01a98b5d123c-1270206094
File IPR_in_China_FINAL.pdf received on 2010.04.02 11:01:34 (UTC)
Result: 10/42 (23.81%)
a-squared     4.5.0.50     2010.04.02     Exploit.Win32.Pidief!IK
Authentium     5.2.0.5     2010.04.02     PDF/Obfusc.M!Camelot
Avast     4.8.1351.0     2010.04.02     JS:ShellCode-EQ
Avast5     5.0.332.0     2010.04.02     JS:ShellCode-EQ
AVG     9.0.0.787     2010.04.02     Exploit.PDF
GData     19     2010.04.02     JS:ShellCode-EQ
Ikarus     T3.1.1.80.0     2010.04.02     Exploit.Win32.Pidief
Microsoft     1.5605     2010.04.02     Exploit:JS/Mult.CM
Symantec     20091.2.0.41     2010.04.02     Bloodhound.PDF!gen
TrendMicro     9.120.0.1004     2010.04.02     Expl_ShellCodeSM
File size: 54720 bytes
MD5   : c497c02464ae74bbc94120d1cbe88d49

Vicheck
https://www.vicheck.ca/md5query.php?hash=c497c02464ae74bbc94120d1cbe88d49
PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c497c02464ae74bbc94120d1cbe88d49&type=js
suspicious



PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927





























Posted by Mila at 7:35 AM 0 comments Tags: , , , , , , , , Links to this post

Wednesday, March 31, 2010

Mar 31 CVE-2010-0188 PDF Project done, welcome comments from adriennemissyou@gmail.com

Download cb3cb17527bfde64b455f9c5385975c8 Project.pdf as a password protected archive (please contact me if you need the password)

Details cb3cb17527bfde64b455f9c5385975c8 Project.pdf 


From: Jhang [mailto:adriennemissyou@gmail.com]
Sent: 2010-03-31 2:30 AM
To: XXXXXXXX
Subject: Project done, welcome comments







Virutotal
File project.PDF received on 2010.03.31 14:36:02 (UTC)
Result: 2/36 (5.56%)
Sophos    4.52.0    2010.03.31    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.31    Trojan.Pidief.I
File size: 87673 bytes
MD5...: cb3cb17527bfde64b455f9c5385975c8
Posted by Mila at 11:13 AM 0 comments Tags: , , , , , Links to this post

Tuesday, March 30, 2010

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.


    * hxxp://assets.loomia.com/js/clixdom.js
    * hxxp://widget-cache.loomia.com/js/onewidget_clix.js
    * hxxp://a.l.yimg.com/a/lib/s5/searchpad_core_metro_js_200911061221.js

 File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32     4985     2010.03.30     JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo



Posted by Mila at 4:36 PM 2 comments Tags: , , , Links to this post

Mar 30 CVE-2010-0806 IE 0-day hxxp://bbs.vgl.co.kr/bbs/icon/ie.html


http://www.virustotal.com/analisis/6827df1e55c9d7bbbf80272a919606aa7d5ee7b90fd049d67c6b2c0e2f458819-1269977772
 File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    5.2.0.5    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    9.0.0.787    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    7.0.17.0    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    4.5.1.85    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    4.0.14.0    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.1.1.80.0    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    7.0.0.125    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    5.0.27.0    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48



bbs.vgl.co.kr has one IP number , which is the same as for vgl.co.kr, but the reverse is 211-115-80-207.kidc.net. vgl.co.kr and http://www.robtex.com/dns/www.vgl.co.kr.html point to the same IP. vgl.co.kr is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for vgl.co.kr is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. bbs.vgl.co.kr is hosted on a server in Korea. It is not listed in any blacklists.
      Hostname:    211-115-80-207.kidc.net
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul
Posted by Mila at 3:54 PM 0 comments Tags: , , , , , Links to this post

Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from americansina@gmail.com

 Download d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf as a password protected archive (please contact me if you need the password)

Details d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf 

From: Dean Cheng [mailto:americansina@gmail.com]
Sent: 2010-03-30 9:18 AM
Subject: China and Foreign Military Modernization

Dear Folks,

One of the little-noticed actions in the recently concluded session of the Chinese National People’s Congress was the enactment of a National Defense Mobilization Law. In an age when conventional conflicts are planned to conclude in a matter of days or weeks, it is striking that the People’s Republic of China  (PRC) should choose to ensure its readiness for a protracted war. Indeed, it suggests that the People’s Liberation Army (PLA) is thinking about future wars in a very different way from their Western counterparts, where full-scale mobilization is rarely discussed at all. Whereas the U.S. and its allies have mostly neglected the prospect of a prolonged high-intensity conflict, the PLA appears intent on preparing for both short- and long-term wars.

The actions of the National People’s Congress have distinct implications for U.S. defense planners, as they portend an opponent who may choose to fight a protracted conflict—but with anti-ship missiles rather than IEDs. And it should also raise questions among foreign investors—how might their facilities and assets be treated in the event of a crisis?

We have drafted a memo to this regards as attached. Your inputs are highly appreciated.

Best regards,

Cheng
--
Dean Cheng
Research Fellow, Asian Studies Cente
---------
Virustotal
http://www.virustotal.com/analisis/8b821297ce83d927e3ab73fe465149beb64b67d5b2cbee1cfaa4953c84c6a302-1269966037
File WebMemo.pdf received on 2010.03.30 16:20:37 (UTC)
Result: 8/42 (19.05%)
Avast     4.8.1351.0     2010.03.30     JS:Pdfka-XX
Avast5     5.0.332.0     2010.03.30     JS:Pdfka-XX
BitDefender     7.2     2010.03.30     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.03.30     Exploit.PDF-JS.Gen
GData     19     2010.03.30     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.03.30     Exploit.JS.Pdfka.bvz
Microsoft     1.5605     2010.03.30     Exploit:Win32/Pdfjsc.gen!A
nProtect     2009.1.8.0     2010.03.30     Exploit.PDF-JS.Gen
Additional information
File size: 201777 bytes
MD5   : d7520d1957d5ef26e068727fac4c4f02

Vicheck.ca
https://www.vicheck.ca/md5query.php?hash=d7520d1957d5ef26e068727fac4c4f02
Type: PDF Exploit call to media.newPlayer CVE-2009-4324
XOR Key:0x[]


CVE-2009-4324














 
Posted by Mila at 2:05 PM 0 comments Tags: , , , , Links to this post

Monday, March 29, 2010

Malware links March 2010

If you are looking for links to download samples, look here Links and resources for malware samples



  • hxxp://66.232.142.167/funny.php    JS/Exploit.ADODB.Stream.NAP trojan   
  •  hxxp://googlecounter.cn/web/gla.php contains PDF/Exploit.Gen trojan.
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab contains a variant of Win32/AdInstaller 
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/oHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fc2201l0409K6cb1af37317 contains JS/Exploit.Pdfka.BXK trojan.
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5.exe/eHbcb9bc6cV0100f070006R8b2e329c102Tf70a1fde201l0409K6cb1af37318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/oHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd7201l0409K5c3a3a34317 contains JS/Exploit.Pdfka.BXK trojan. 
  • hxxp://google.analytics.com.aptwhzoqc.info/kav/KAV5 .asp/eHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd2201l0409K5c3a3a34318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
  • http://www.paramountcommunication.com/heritage/index.php?utm_source=Newsletter&utm_medium=Email&utm_campaign=Insider+Online&email=...   JS/TrojanDownloader.Pegel.AA  
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab    a variant of Win32/AdInstaller       
  • hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab    a variant of Win32/AdInstaller 
  •  hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-6/1.2.0.1/MyFunCards.exe    a variant of Win32/AdInstaller             
  • hxxp://blogger-com.custhelp.com.lauxanh-us.readystockonline.ru:8080/mop.com/mop.com/google.com/woot.com/zol.com.cn.php    JS/TrojanDownloader.Iframe.NHK trojan          
  • hxxp://capitalone-com.victoriassecret.com.rutube-ru.newsuperway.ru:808/qidian.com/qidian.com/kioskea.net/google.com/howstuffworks.com.php    JS/TrojanDownloader.Iframe.NHK trojan   
  • hxxp://consuladodamulher.org.br/Itau/cont_artigos.php?s=TQQeTma9&id=6    multiple threats      
  • hxxp://golddeery.info/show-banner.php?kod=629081&site=ff.ca    HTML/Iframe.B.Gen virus  
  • hxxp://google.analytics.com.hzlyaejcvmat.info/nte/AVORP1KAV6 .asp/oU230d9c2eHbcb9bc6cV0100f070006R8c1977ae102Tf7326dcc201l0409K7959373b317    JS/Exploit.Pdfka.NTY trojan                      
  • hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.html/oHbcb9bc6cV0100f070006R24c1e2fe102Tf7114d86201l0409Kede2a3a5317    JS/Exploit.Pdfka.NUI trojan          
  • hxxp://google.analytics.com.mdmnegsxcytq.info/kav/kav5.py/oHbcb9bc6cV03002f36002R22c9ccec102Tf7139f4fQ000002f3901801F002a000aJ11000601l0409K41010ef5317    JS/Exploit.Pdfka.NUI trojan          
  •  hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/eHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151520201l0409Kd9bdaac13240    a variant of Win32/Kryptik.DHM trojan   
  • hxxp://google.analytics.com.molbquhwebp.info/kav/kav5.py/oHbcb9bc6cV0100f070006Ra7e4cffb102Tf7151527201l0409Kd9bdaac1317    JS/Exploit.Pdfka.NUI trojan              
  • hxxp://google.analytics.com.vvpwiceojasw.info/kavs/KAV6.exe/oHbcb9bc6cV0100f070006R695b81f8102Tf71ecc4c201l0409Ked0fd1fa317    JS/Exploit.Pdfka.NUI trojan      
  • hxxp://media.stu.edu.cn/ckjournalists/wp-content/plugins/test/fragus/pdf.php    PDF/Exploit.Pidief.OJS.Gen trojan     
  •  hxxp://origin-ics.seekmo.com/IC/GPLSeekmo7Zip02/770/-2_td_g-m_tsu_o9_oh_g44_tm8_g-l_tzg9xhg_g-t_tzdzpgcd_g4kl_tl_g-e_tul-m8_gk8_tp_oz/7zipsetup.exe    a variant of Win32/Adware.HotBar.E application 
  • hxxp://reeufgcwdaa.com/kavs/KAV6.exe/oHbcb9bc6cV03f01830002Ra6b096a2102Tf71a35a1Q000002f3901801F002a000aJ11000601l0409K4c7ff6ef317    JS/Exploit.Pdfka.NUI trojan      
  •  hxxp://rytsedwtov.in/new/sdfg.jar    multiple threats   
  •  hxxp://traffictravelling.com/cgi-bin/001?sourceid=3&domain=d3.zedo.com/q002106201317r0409R96b62002Xf72fe433Ybcb9bc6cZ0100f070    JS/Exploit.Pdfka.BQP trojan          
  • hxxp://www.car-parking.eu/city/geneva.html    JS/TrojanDownloader.Agent.NTN trojan    
  • hxxp://www.samplegraduateschoolessay.com/wp-content/plugins/wp-email/email-js-packed.js?ver=2.31    JS/TrojanDownloader.Agent.NRN trojan        
  • hxxp://www.sciences-po.org/    HTML/ScrInject.B.Gen virus                       
    hxxp://www1.hatin-the-safe-atpc.in/build6_290.php?cmd=sendFile&counter=2&p=p52dcWptaF/Cj8bYbnOCdVik12qYVp/Zatrau4FdlJ/JnsWYeHpfqKygdW2SY5jKZ2NmamJpiqDWkaTboKCViaJ0WKrO1c+eb1qfnaSZdV/XlsndblaWpG9rnFuTYGCUXpmSlGprWKjKx6Chpqipbmdjr7DYW8vVoJeZmWCb05qRo5XHn8bM    a variant of Win32/Kryptik.DFC trojan         
  • hxxp://ylwgheakrozn.com/nte/AVORP1TATRA9.py    JS/Exploit.Agent.NBA trojan              
           
Posted by Mila at 5:03 PM 0 comments Tags: Links to this post

Sunday, March 28, 2010

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from richard.mark45@yahoo.com

Malicious link hxxp://spot-news.com/spot/news.html

 
Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark [mailto:richard.mark45@yahoo.com]
Sent: Sunday, March 28, 2010 11:17 PM
To: XXXXXXXXXXXXXX
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

U.S.-ROK ALLIANCE

In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [123.125.156.136] by web114509.mail.gq1.yahoo.com via HTTP;
 Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/0.8.100.260964
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered


Sender ip info        Hostname:    123.125.156.151
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing




The exploit and all other details are the same as in this post from earlier today


Posted by Mila at 12:54 AM 0 comments Tags: , , , , Links to this post
Subscribe to: Posts (Atom)
Home