Li Jun, aka “Virus King,” designed the 熊猫烧香 / Panda Burning Incense / joss-sticks virus that wreaked havoc in China in 2006 - 2007. He spent 2 1/2 years in prison and was/is supposed to be released in the end of this year. Maybe he already was because a new version of this virus is now making rounds in China
Here is a Chinese language article (Google translated) about the author of the virus
The script below (from someone by name 'bobo') is supposed to remove the original version of the virus:
Pages
▼
Friday, November 27, 2009
Nov.25 PDF attack: MOU from cwfhom@gmail.com Nov 25, 2009 10:25 PM
Download the infected pdf (password protected, contact me for the password)
本會與大陸三金融監理機關所簽署之監理合作備忘錄現正陳報行政院核可中,謹將備忘錄相關事項彙整如附件,敬請參閱,謝謝。
如須其他資訊,請隨時告知。
順頌時祺
周鳴皋敬上
金管會
Google Translate
From: Arthur Chou [cwfhom@gmail.com]
To: Ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 10:25 PM
Subject: MOU
Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=5b4f2df5c95ea65736adbd60ed4f96be&type=js
Result - suspicious
AntiVir 7.9.1.79 2009.11.26 HTML/Rce.Gen
McAfee-GW-Edition 6.8.5 2009.11.26 Heuristic.Script.Rce
Microsoft 1.5302 2009.11.26 Exploit:Win32/ShellCode.A
NOD32 4640 2009.11.26 PDF/Exploit.Gen
Norman 6.03.02 2009.11.25 JS/ShellCode.C
本會與大陸三金融監理機關所簽署之監理合作備忘錄現正陳報行政院核可中,謹將備忘錄相關事項彙整如附件,敬請參閱,謝謝。
如須其他資訊,請隨時告知。
順頌時祺
周鳴皋敬上
金管會
Google Translate
From: Arthur Chou [cwfhom@gmail.com]
To: Ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 10:25 PM
Subject: MOU
This Council and the mainland three financial supervisory authorities signed a memorandum of cooperation is now Commissioner of the Executive Yuan for approval in Chen, I would like to compile a memorandum related matters, such as accessories, please read, thank you.
If any, additional information, please feel free to tell.
When Qi Shun Chung
Zhou Minggao Sincerely,
FSC
Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=5b4f2df5c95ea65736adbd60ed4f96be&type=js
Result - suspicious
Virustotal analysis
http://www.virustotal.com/analisis/935aacc944172c155c6884ef8e70ec14a400a6de409aa024bbfa6a396853d656-1259261293AntiVir 7.9.1.79 2009.11.26 HTML/Rce.Gen
McAfee-GW-Edition 6.8.5 2009.11.26 Heuristic.Script.Rce
Microsoft 1.5302 2009.11.26 Exploit:Win32/ShellCode.A
NOD32 4640 2009.11.26 PDF/Exploit.Gen
Norman 6.03.02 2009.11.25 JS/ShellCode.C
Wednesday, November 25, 2009
Nov.25 PDF attack. Letter on Taiwan from rupertjhc@gmail.com Nov 25, 2009 11:23 AM
Download the infected PDF (password protected, you have to contact me for the password)
This one is quite interesting:
This one is quite interesting:
From Rupert Hammond-Chambers [rupertjhc@gmail.com]
To ouruser@ourdomain.xxx
Sent: Wednesday, November 25, 2009 9:54 AM
Subject Letter on Taiwan
Dear Colleagues,
I first would like to extend my heartfelt gratitude for the support that you and other members of Congress have demonstrated to the Republic of China (Taiwan) over the last 30 years. Despite the absence of official relations, our common goals and interests remain strong.
Our nation has attempted to purchase follow-on F-16s since 2006 to upgrade our national defense by replacing our F-5s and other antiquated equipment and thereby respond to the growing threat that the People’s Republic of China (PRC) and its military’s modernization efforts represents to peace and security in the Taiwan Strait. We respectively ask you to support our clear military need to upgrade our F-16 force by supporting a follow-on sale of F-16s. Your support will contribute immeasurably to America and Taiwan’s shared interest in democracy and peace and security in the Taiwan Strait.
Sincerely yours,
Rupert
--
Rupert Hammond-Chambers
President
US-Taiwan Business Council
________________________________
1700 North Moore Street, Suite 1703
Arlington, Virginia 22209
United States of America
Telephone: (703) 465-2930
Mobile: (202) 445-4777
Facsimile: (703) 465-2937
www.us-taiwan.org
Monday, November 23, 2009
Nov.23 PDF attack. The three undisclosed secret in President Obama Tours Asia Nov 23, 2009 11:23 AM from jenniferf.carlson@yahoo.com
Download the malicious PDF (password protected, you have to contact me for the password)
http://www.mediafire.com/?0ozfmnnegnh
File ObamaAndAsia.pdf received on 2009.11.25 06:39:38 (UTC)
Result: 5/41 (12.2%)
Antivirus Version Last Update Result
BitDefender 7.2 2009.11.25 Trojan.SWF.HeapSpray.B
F-Secure 9.0.15370.0 2009.11.24 Trojan.SWF.HeapSpray.B
Kaspersky 7.0.0.125 2009.11.25 Exploit.SWF.Agent.ci
GData 19 2009.11.25 Trojan.SWF.HeapSpray.B
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)
http://www.mediafire.com/?0ozfmnnegnh
Sent: Mon 11/23/2009 11:23 AM
From: Jennifer F. Carlson [jenniferf.carlson@yahoo.com]
fyi.
The three undisclosed secret in President Obama Tours Asia.
The message sender was
jenniferf.carlson@yahoo.com
The message originating IP was 68.142.206.162 The message recipients were
ouruser@ourdomain.xxx
The message was titled The three undisclosed secret in President Obama Tours Asia The message date was Mon, 23 Nov 2009 08:22:38 -0800 (PST) The message identifier was <881116.55087.qm@web111811.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12 build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.
Scan started at Mon Nov 23 16:22:42 2009 Database version: 2009-11-23_10
attach/5963917_3X_PM5_EMS_MA-PDF__ObamaAndAsia.pdf: Infected: Exploit.SWF.Agent.ci [AVP]
Virustotal analysis
File ObamaAndAsia.pdf received on 2009.11.25 06:39:38 (UTC)
Result: 5/41 (12.2%)
Antivirus Version Last Update Result
BitDefender 7.2 2009.11.25 Trojan.SWF.HeapSpray.B
F-Secure 9.0.15370.0 2009.11.24 Trojan.SWF.HeapSpray.B
Kaspersky 7.0.0.125 2009.11.25 Exploit.SWF.Agent.ci
GData 19 2009.11.25 Trojan.SWF.HeapSpray.B
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)
Wednesday, November 18, 2009
Nov.18 PDF attack. U.S. ship thwarts second pirate attack November 18, 2009.pdf Nov 18, 2009 10:38:02 AM from michael.gillenwater@dhs.gov (Spoofed sender)
Email message text
Fw: U.S. ship thwarts second pirate attack November 18, 2009
michael.gillenwater
To: Undisclosed-Recipient:;
Sent: 11/18/2009 10:38 AM
>>
>>
>>> FYI
>>>
>>>
>>> ----- Original Message -----
>>> From: "Antweiler"
>>> To:
>>> Sent: Wednesday, November 18, 2009 4:40 AM
>>> Subject:Today: U.S. ship thwarts second pirate attack
Wepawet analysis
http://wepawet.cs.ucsb.edu/view.php?hash=0b9e08970966b28ad05300038a16ba22&type=js
Virustotal https://www.virustotal.com/gui/file/5464cfb7c8912c0dbc8b97ac342efd1b39561dba1cb47f69ee70114c7908565a/details
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5 0b9e08970966b28ad05300038a16ba22
Analysis Started 2009-11-18 07:50:52
Report Generated 2009-11-18 07:50:57
JSAND version 1.03.02
Detection results
Detector Result
JSAND 1.03.02 malicious
Exploits
Name Description Reference
Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows CVE-2007-5659
Adobe getIcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5 0b9e08970966b28ad05300038a16ba22
Analysis Started 2009-11-18 07:50:52
Report Generated 2009-11-18 07:50:57
JSAND version 1.03.02
Detection results
Detector Result
JSAND 1.03.02 malicious
Exploits
Name Description Reference
Adobe Collab overflow Multiple Adobe Reader and Acrobat buffer overflows CVE-2007-5659
Adobe getIcon Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object CVE-2009-0927
Heap Spraying with Actionscript by FireEye and From Targeted PDF Attack to Backdoor in Five Stages y McAfee
Excerpt
II. http://www.avertlabs.com/research/blog/index.php/2009/09/14/from-targeted-pdf-attack-to-backdoor-in-five-stages/FireEye Malware Intelligence Lab
Julia Wolf @ FireEye Malware Intelligence Lab
Heap Spraying with Actionscript
Why turning off Javascript won't help this time
Introduction
As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.
Background Summary
Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.
But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll” files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]
Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. More
McAfee Labs Blog
Excerpt
From Targeted PDF Attack to Backdoor in Five Stages
Monday September 14, 2009 at 12:33 pm CST
Posted by Dennis Elser
As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.
The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection. More
Sunday, November 15, 2009
Saturday, November 14, 2009
Tuesday, November 10, 2009
Nov.8 PDF attack 國防部人力司招聘「專案研究助理」 from administrators@mnd.gov.tw Sun, Nov 08, 2009 8:13 PM
From: 國防部人力司 [mailto:administrators@mnd.gov.tw]
Sent: Sunday, November 08, 2009 8:13 PM
To: ouruser@ourdomain
Subject: 國防部人力司招聘「專案研究助理」
如附件所示,請 鑒核。
國防部人力司李意超敬上
地址:臺北市博愛路172號.
Approx. Translation:
Dept of Defense Manpower Division is recruiting a special research assistant
Please see attached.
Department of Defense Manpower Division
LI Yi-chao Sincerely,
Address: No. 172 Po-ai Road, Taipei.
Wepawet Analysis report for 國防部人力司招聘「專案研究助理 .pdf
Sample Overview
File 國防部人力司招聘「專案研究助理.pdf
MD5 35300c972545b9ae6efac2d24fea8b67
Analysis Started 2009-11-10 20:44:08
Report Generated 2009-11-10 20:44:18
Jsand version 1.03.02
Detection results
Detector Result
Jsand 1.03.02 malicious
Exploits
Sunday, November 8, 2009
COFEE v112
COFEE - Computer forensics tool
Excerpt
What is COFEE?
COFEE has been designed to provide the investigator the ability to collect evidence from a target system
with the minimum of user interaction. After the GUI interface generates a COFEE USB device (copies all
scripts and programs), the investigator can take the device and easily insert it onto a target machine,
and begin the collection process by executing a single program.
Friday, November 6, 2009
Nov.6 PDF attack. Obama visit Asia from [username]098@gmail.com Nov 6, 2009 8:38:57 AM
- CVE-2009-0927 Stack-based buffer overflow in Adobe via getIcon method of a Collab object, a different vulnerability than CVE-2009-0658 - March 2009.
- CVE-2007-5659 Multiple buffer overflows in Adobe via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
Possible MalWare 'Exploit/Zordle.gen' found in '5963792_3X_PM5_EMS_MA-PDF__Obama=20visit=20Asia.pdf'. Heuristics score: 201
From: "[REMOVED]" [mailto:098@gmail.com
Sent: Friday, November 6, 2009 8:38:57 AM GMT -05:00 US/Canada Eastern
Subject: Obama's visit to Asia
Dear Colleagues,
With the upcoming Obama's visit to Asia, please find the attached paper for your kind reference.
Should you have any questions, please contact me.
Best regards,
--
signature here [REMOVED]
File Obama_visit_Asia.pdf received on 2009.11.06 18:05:36 (UTC)
Current status: finished
Result: 4/41 (9.76%)
Antivirus | Version | Last Update | Result |
---|---|---|---|
a-squared | 4.5.0.41 | 2009.11.06 | - |
AhnLab-V3 | 5.0.0.2 | 2009.11.06 | - |
AntiVir | 7.9.1.59 | 2009.11.06 | - |
Antiy-AVL | 2.0.3.7 | 2009.11.05 | - |
Authentium | 5.2.0.5 | 2009.11.06 | PDF/Pidief.O |
Avast | 4.8.1351.0 | 2009.11.06 | - |
AVG | 8.5.0.423 | 2009.11.06 | - |
BitDefender | 7.2 | 2009.11.06 | Exploit.PDF-JS.Gen |
CAT-QuickHeal | 10.00 | 2009.11.06 | - |
ClamAV | 0.94.1 | 2009.11.06 | - |
Comodo | 2862 | 2009.11.06 | - |
DrWeb | 5.0.0.12182 | 2009.11.06 | - |
eSafe | 7.0.17.0 | 2009.11.05 | - |
eTrust-Vet | 35.1.7107 | 2009.11.06 | - |
F-Prot | 4.5.1.85 | 2009.11.06 | - |
F-Secure | 9.0.15370.0 | 2009.11.04 | Exploit.PDF-JS.Gen |
Fortinet | 3.120.0.0 | 2009.11.06 | - |
GData | 19 | 2009.11.06 | Exploit.PDF-JS.Gen |
Ikarus | T3.1.1.74.0 | 2009.11.06 | - |
Jiangmin | 11.0.800 | 2009.11.06 | - |
K7AntiVirus | 7.10.890 | 2009.11.06 | - |
Kaspersky | 7.0.0.125 | 2009.11.06 | - |
McAfee | 5793 | 2009.11.05 | - |
McAfee+Artemis | 5794 | 2009.11.06 | - |
McAfee-GW-Edition | 6.8.5 | 2009.11.06 | - |
Microsoft | 1.5202 | 2009.11.06 | - |
NOD32 | 4580 | 2009.11.06 | - |
Norman | 6.03.02 | 2009.11.06 | - |
nProtect | 2009.1.8.0 | 2009.11.06 | - |
Panda | 10.0.2.2 | 2009.11.05 | - |
PCTools | 7.0.3.5 | 2009.11.06 | - |
Prevx | 3.0 | 2009.11.06 | - |
Rising | 21.54.44.00 | 2009.11.06 | - |
Sophos | 4.47.0 | 2009.11.06 | - |
Sunbelt | 3.2.1858.2 | 2009.11.06 | - |
Symantec | 1.4.4.12 | 2009.11.06 | - |
TheHacker | 6.5.0.2.062 | 2009.11.05 | - |
TrendMicro | 9.0.0.1003 | 2009.11.06 | - |
VBA32 | 3.12.10.11 | 2009.11.06 | - |
ViRobot | 2009.11.6.2025 | 2009.11.06 | - |
VirusBuster | 4.6.5.0 | 2009.11.06 | - |
File | Obama visit Asia.pdf |
---|---|
MD5 | 33aa28b079b33c1609f9096ee78e73c8 |
Analysis Started | 2009-11-06 12:10:45 |
Report Generated | 2009-11-06 12:10:53 |
Jsand version | 1.03.02 |
Detection results
Detector | Result |
---|---|
Jsand 1.03.02 | malicious |
Exploits
Name | Description | Reference |
---|---|---|
Adobe Collab overflow | Multiple Adobe Reader and Acrobat buffer overflows | CVE-2007-5659 |
Adobe getIcon | Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object | CVE-2009-0927 |
Monday, November 2, 2009
Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)
Links updated: Jan 18, 2023
Different hash
SecureWorks Opachki Trojan Analysis http://www.secureworks.com/research/threats/opachki
Threatexpert
Submission details:
Filename(s)
1 %Temp%\nsrbgxod.bak
0 bytes
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA-1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %UserProfile%\protect.dll
%Programs%Startup\ChkDisk.dll
%System%\autochk.dll
[file and pathname of the sample #1]
24,064 bytes
MD5: 0x87A2583DE6F6FBB5104E0433E89B1BCF
SHA-1: 6048D36DB2207A1CEA877742C9403A816D711C6D
Mal/UnkPack-Fam
[Sophos]
TrojanDropper:Win32/Opachki.A
[Microsoft]
Trojan-Dropper.Win32.Opachki
[Ikarus]
3 %Programs%\Startup\ChkDisk.lnk
655 bytes
MD5: 0x6F61156F14AEED438770D31391E67EC9
SHA-1: 0x277B806CEC1AEDE9F9B934B7DD655D0BBB542597
Read more - Update March 2010
Download. Email me if you need the password
1)
1)
6762a2e15913e66b06a0953387bd87b0f9ce22b5939fe1efd46c7120df214d7c
2)
2)
MD5 00f2fd5e2c125965c188754f04da576c
SHA-1 63d53f6e1b3f9fb23c88b19f7c6326da45753a5d
SHA-256 a602a3dd91b5aa0e0e68d20efe787e01c9548cb1b11b5032541c2e7d4edb5710
Win32/Opachki.A --Virustotal-all antivirus names for it. The real tragedy is in those http://www.threatexpert.com/report.aspx?md5=87a2583de6f6fbb5104e0433e89b1bcf
nsrbgxod.bak created by Opachki http://www.threatexpert.com/report.aspx?md5=87a2583de6f6fbb5104e0433e89b1bcf and nsrbgxod.bak created by Zeus/ZBot http://www.threatexpert.com/report.aspx?md5=00f2fd5e2c125965c188754f04da576c (link lost)
nsrbgxod.bak created by Opachki http://www.threatexpert.com/report.aspx?md5=87a2583de6f6fbb5104e0433e89b1bcf and nsrbgxod.bak created by Zeus/ZBot http://www.threatexpert.com/report.aspx?md5=00f2fd5e2c125965c188754f04da576c (link lost)
Different hash
SecureWorks Opachki Trojan Analysis http://www.secureworks.com/research/threats/opachki
Threatexpert
Submission details:
Filename(s)
1 %Temp%\nsrbgxod.bak
0 bytes
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA-1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %UserProfile%\protect.dll
%Programs%Startup\ChkDisk.dll
%System%\autochk.dll
[file and pathname of the sample #1]
24,064 bytes
MD5: 0x87A2583DE6F6FBB5104E0433E89B1BCF
SHA-1: 6048D36DB2207A1CEA877742C9403A816D711C6D
Mal/UnkPack-Fam
[Sophos]
TrojanDropper:Win32/Opachki.A
[Microsoft]
Trojan-Dropper.Win32.Opachki
[Ikarus]
3 %Programs%\Startup\ChkDisk.lnk
655 bytes
MD5: 0x6F61156F14AEED438770D31391E67EC9
SHA-1: 0x277B806CEC1AEDE9F9B934B7DD655D0BBB542597
Read more - Update March 2010
New banking trojan W32.Silon -msjet51.dll
Links updated: Jan 18, 2023
If you have msjet51.dll in system32, you probably have a very dangerous banking trojan on your computer.
If you have msjet51.dll in system32, you probably have a very dangerous banking trojan on your computer.
https://www.virustotal.com/gui/file/675eb7cf5f115dbb4e9c6dcf83de5700d36d29e0d7bf5218f508b9a3650f73e7