 Link updated: Jan 18, 2023
Link updated: Jan 18, 2023
Update January 24, 2010  Abhishek Lyall provided the following information about the file:
" The exploit works on office 2003. Tested on XP SP2-3. The exe is embedded at OFFSET=0x4c00 with key 0x25. The Word document attached is at offset 0x7400 with key 0x25. The shellcode in the exploit drops a binary with name "svchost.exe" and a doc file in %temp% folder. The shellcode in the xls decodes the exe and drops it. The binary and Doc are XOR'ed with key 0x25 except bytes 0x25, 0x00, 0xFF and 0xDA". to be continued.. Virustotal
https://www.virustotal.com/gui/file/36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
File Final File of F4 UN.doc received on 2009.10.22 18:31:54 (UTC)
Result: 4/41 (9.76%)
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.22 Exploit.MSWord.Agent!IK
Antiy-AVL 2.0.3.7 2009.10.22 Exploit/MSWord.Agent
Ikarus T3.1.1.72.0 2009.10.22 Exploit.MSWord.Agent
Kaspersky 7.0.0.125 2009.10.22 Exploit.MSWord.Agent.ac
File size: 1440768 bytes
MD5 : 76af62049aa95ba30214cabb5baf1342
SHA1 : 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
I don't know why a-squared stopped detecting it. One month later detection is still very low.
File Final_File_of_F4_UN.doc received on 2009.12.21 05:45:17 (UTC)
Result: 3/41 (7.32%)
Antiy-AVL 2.0.3.7 2009.12.18 Exploit/MSWord.Agent
Authentium 5.2.0.5 2009.12.02 MSWord/Dropper.B!Camelot
Kaspersky 7.0.0.125 2009.12.21 Exploit.MSWord.Agent.ac
Additional information
File size: 1440768 bytes
MD5...: 76af62049aa95ba30214cabb5baf1342
SHA1..: 0ddff5948e3bf612eecbe7fc5bdd746939eb50c5
SHA256: 36b8f38a18856e5d5484ee5ef933706cb8372047470c63d6017d638448716dac
to be continued..
 
No comments:
Post a Comment