Details D05E0400B62687B5796C5D1B5CCDF6EE -- 20100214陸委楔@週活動一覽表(新增).doc
Update March 3, 2010 Abhishek Lyall (thank you!) provided additional details for this sample:
"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010. The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0" but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."
Analysis of the binary
Trojan.Buzus.U
- http://virusscan.jotti.org/en/scanresult/a66179d31dcc53e4fd30a6f50264e967198417f6
- http://www.threatexpert.com/report.aspx?md5=096239f5cf4e1255634f3f2e7de8824e
096239F5CF4E1255634F3F2E7DE8824E - WinHttp.exe 23,664 bytes1796E908A782FBB445C96D88F4B84D9D original.doc 45056 bytes
as a password protected archive (please contact me if you need the password)
Sent: Saturday, February 20, 2010 10:49 PM
To: XXXXXXXXXXXXXX
Subject: 陸委會一週行程一覽表
您好!
附件檔為陸委會一週行程一覽表(新增2/17賴主委行程)新聞參考資料, 提供您參考!
行政院大陸委員會聯絡處 敬上
Google Translate
From: macnews [mailto: macnews@mac.gov.tw]Sent: Saturday, February 20, 2010 10:49 PMTo: XXXXXXXXXXXXXXXXXSubject: MAC list of the week itineraryHello!Attachment file for the Mainland Affairs Council, a list of one week trip (new 2 / 17 Lai, chairman of the stroke) news references for your reference!
Sincerely, the Executive Yuan's Mainland Affairs Council Liaison Office
Sincerely, the Executive Yuan's Mainland Affairs Council Liaison Office
Headers
Received: from CC-8575FC5050CF (61-221-98-169.HINET-IP.hinet.net [61.221.98.169])
by msr29.hinet.net (8.9.3/8.9.3) with SMTP id LAA27251
for XXXXXXXXXXXXX Sun, 21 Feb 2010 11:50:19 +0800 (CST)
Reply-To: macnews@mac.gov.tw
From: "macnews"
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?BIG5?B?s7CpZbd8pEC2Z6bmtXukQMT9qu0=?=
Date: Sun, 21 Feb 2010 11:48:35 +0800
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_10022111450473483032267_000"
X-Priority: 3
X-Mailer: OutLook 6.1.1.0
by msr29.hinet.net (8.9.3/8.9.3) with SMTP id LAA27251
for XXXXXXXXXXXXX Sun, 21 Feb 2010 11:50:19 +0800 (CST)
Reply-To: macnews@mac.gov.tw
From: "macnews"
To: XXXXXXXXXXXXXXXXXXXXXXXX
Subject: =?BIG5?B?s7CpZbd8pEC2Z6bmtXukQMT9qu0=?=
Date: Sun, 21 Feb 2010 11:48:35 +0800
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_10022111450473483032267_000"
X-Priority: 3
X-Mailer: OutLook 6.1.1.0
61.221.98.169
HiNet Chunghwa Telecom Co., Ltd. Data Communication Business Group (HiNet)inetnum: 61.221.98.160 - 61.221.98.175
netname: CHANGHUA-SOCIEPT-NT-TWdescr: International Changhua Society Educate Nantou Society Educate Workstation
descr: Nantou City County Taiwan
country: TW
admin-c: GRC2-TW
tech-c: GRC2-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: network-adm@hinet.net 20011002
status: ASSIGNED NON-PORTABLE
source: TWNIC
Analysis screenshot by Abhishek Lyall
Virustotal
http://www.virustotal.com/analisis/dbc0a1bfbddceba2afd48e6f30bf2fe0f70707dae1a4f8ae6a0bcdcc27ded36b-1266902029
Virustotal
Result: 11/41 (26.83%)
a-squared 4.5.0.50 2010.02.23 Trojan-Dropper.MSWord.Agent!IK
Authentium 5.2.0.5 2010.02.23 MSWord/Dropper.B!Camelot
BitDefender 7.2 2010.02.23 Exploit.MSWord.Ginwui.Gen
eTrust-Vet 35.2.7321 2010.02.23 W97M/MS03-050!exploit
F-Prot 4.5.1.85 2010.02.22 CVE-2006-2492
F-Secure 9.0.15370.0 2010.02.23 Exploit.MSWord.Ginwui.Gen
GData 19 2010.02.23 Exploit.MSWord.Ginwui.Gen
Ikarus T3.1.1.80.0 2010.02.23 Trojan-Dropper.MSWord.Agent
Kaspersky 7.0.0.125 2010.02.23 Trojan-Dropper.MSWord.Agent.es
nProtect 2009.1.8.0 2010.02.23 Exploit.MSWord.Ginwui.Gen
Rising 22.34.01.03 2010.02.11 Hack.Exploit.Win32.Agent.piq
File size: 94224 bytes
MD5...: d05e0400b62687b5796c5d1b5ccdf6ee
a-squared 4.5.0.50 2010.02.23 Trojan-Dropper.MSWord.Agent!IK
Authentium 5.2.0.5 2010.02.23 MSWord/Dropper.B!Camelot
BitDefender 7.2 2010.02.23 Exploit.MSWord.Ginwui.Gen
eTrust-Vet 35.2.7321 2010.02.23 W97M/MS03-050!exploit
F-Prot 4.5.1.85 2010.02.22 CVE-2006-2492
F-Secure 9.0.15370.0 2010.02.23 Exploit.MSWord.Ginwui.Gen
GData 19 2010.02.23 Exploit.MSWord.Ginwui.Gen
Ikarus T3.1.1.80.0 2010.02.23 Trojan-Dropper.MSWord.Agent
Kaspersky 7.0.0.125 2010.02.23 Trojan-Dropper.MSWord.Agent.es
nProtect 2009.1.8.0 2010.02.23 Exploit.MSWord.Ginwui.Gen
Rising 22.34.01.03 2010.02.11 Hack.Exploit.Win32.Agent.piq
File size: 94224 bytes
MD5...: d05e0400b62687b5796c5d1b5ccdf6ee
Vicheck
Shellcode detected at 10240 479 bytes
Embedded Executable: LoadLibraryA [31932]
Embedded Executable: GetModuleHandleA [31948]
Embedded Executable: GetProcAddress [31900]
Embedded Executable: user32.dll [32076]
Embedded Executable: KERNEL32 [32036]
Embedded Executable: ExitProcess [31918]
Embedded Executable: LoadLibraryA [31932]
Embedded Executable: GetModuleHandleA [31948]
Embedded Executable: GetProcAddress [31900]
Embedded Executable: user32.dll [32076]
Embedded Executable: KERNEL32 [32036]
Embedded Executable: ExitProcess [31918]
Metadata
Processing "/home/vicheck/viruses/d05e0400b62687b5796c5d1b5ccdf6ee.virus":
# Microsoft Office Word �ĵ� (MSWordDoc, 31.10.2007 01:18:10, rev 18�)
Title: ���
Authress: 11� (former: test���)
Organization: ss�
Application: Microsoft Office Word��
Template: Normal.dot�
Created: 25.1.2006 08:30:00
Last saved: 31.10.2007 01:18:00
# Microsoft Office Word �ĵ� (MSWordDoc, 31.10.2007 01:18:10, rev 18�)
Title: ���
Authress: 11� (former: test���)
Organization: ss�
Application: Microsoft Office Word��
Template: Normal.dot�
Created: 25.1.2006 08:30:00
Last saved: 31.10.2007 01:18:00
No comments:
Post a Comment