Clicky

Pages

Monday, September 28, 2009

Sept 28. Attack of the Day. Exploit/MSWordAgent!IK Townhall Magazine... from spoofed xxxx@heritage.org

Link updated: Jan 18, 2023

Download Final File of F4 UN.doc (password protected archive. Please contact me if you need the password)

Update January 24, 2010  Abhishek Lyall provided the following information about the file:
" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued.. 




Virustotal
https://www.virustotal.com/gui/file/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac

File Final File of F4 UN.doc received on 2009.10.22 18:31:54 (UTC)
Result: 4/41 (9.76%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.41     2009.10.22     Exploit.MSWord.Agent!IK
Antiy-AVL     2.0.3.7     2009.10.22     Exploit/MSWord.Agent
Ikarus     T3.1.1.72.0     2009.10.22     Exploit.MSWord.Agent
Kaspersky     7.0.0.125     2009.10.22  Exploit.MSWord.Agent.ac
File size: 1440768 bytes
MD5   : 76af62049aa95ba30214cabb5baf1342
SHA1  : 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac


I don't know why a-squared stopped detecting it. One month later detection is still very low.

https://www.virustotal.com/gui/file/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
File Final_File_of_F4_UN.doc received on 2009.12.21 05:45:17 (UTC)
Result: 3/41 (7.32%)
Antiy-AVL    2.0.3.7    2009.12.18    Exploit/MSWord.Agent
Authentium    5.2.0.5    2009.12.02    MSWord/Dropper.B!Camelot
Kaspersky    7.0.0.125    2009.12.21 Exploit.MSWord.Agent.ac
Additional information
File size: 1440768 bytes
MD5...: 76af62049aa95ba30214cabb5baf1342
SHA1..: 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac

to be continued..

Monday, September 21, 2009

Sep 21, 2009 CVE-2009-3957 PDF w Trojan Scar - 2009 Defense Seminar Invitation from randinfodesk@gmail.com Sep 21, 2009

Link updated: Jan 18, 2023

Download the files below as a password protected archive (please contact me if you need the password)


Original
E42F8E662D39A31B596D86504B9DC287 RandInfo.pdf  104165 bytes

Embedded / Dropped Files
590a6e6c811e41505bebd4a976b9e7f3 msapt.exe 41472 bytes
590a6e6c811e41505bebd4a976b9e7f3 update.exe 41472 bytes  230040293ED381E32FAA081B76634FCB wshipa.dll 32768 bytes 74180904D2F9DF2553C478F7AC480527 tpdefense.dat 103 bytes E73C3121EE1ED30643E1D1982393F978 RANDInfo.pdf 37822 bytes
Details E42F8E662D39A31B596D86504B9DC287 RandInfo.pdf


From: RAND Corporation [mailto:randinfodesk@gmail.com]
Sent: Monday, September 21, 2009 8:04 AM
Subject: 2009 Defense Seminar Invitation

       
RAND  Defense Security Seminar

October 19-23, 2009
1200 South Hayes Street
Arlington, VA 22202-5050

RAND Coporation will hold 2009 Defense Seminar at RAND’s Washington office at Pentagon City, Arlington, VA. Sessions will be held from 9:00 to 5:00 with an hour lunch break on Monday through Thursday, October 19–22, and from 9:00 to 1:00 on Friday, October 23, 2009.

Topics covered will include the following:
- The evolution of alliance and coalition partnerships
- The major issues and challenges in East Asia
- Gaming techniques for strategists and planners
- Missile defense technology and policy
- Transforming intelligence agencies to be better prepared to deal with today's threats
For more information, you can see attached file.
  
______________________________
Contact:
RAND Corporation
1200 South Hayes Street
Arlington, VA 22202
Phone: 703/412-1100 x5409
Fax: 703/413-8181