Tuesday, March 30, 2010

ESET Nod32 detection of CVE-2010-0806

March 30, 2010 ESET quickly corrected the false positive and there should be no more alarms. Please update your AV definitions.

The following links are being detected by ESET Nod32 as JS/Exploit.CVE-2010-0806 trojan. However, I looked at the js files and i do not see the CVE-2010-0806 exploit in them. They seem to be false positives - some sort of ads scripts.

    * hxxp://
    * hxxp://
    * hxxp://

 File clixdom.js received on 2010.03.30 15:51:37 (UTC)
Result: 1/42 (2.38%)
NOD32     4985     2010.03.30     JS/Exploit.CVE-2010-0806

Let me know if I am wrong.

Thanks -M

P.S. I just found this discussion related to it JS/EXploit.CVE-2010-0806 trojan on Yahoo

Mar 30 CVE-2010-0806 IE 0-day hxxp://
 File ie.html received on 2010.03.30 19:36:12 (UTC)
Result: 19/42 (45.24%)
Antivirus     Version     Last Update     Result
a-squared    2010.03.30    Exploit.JS.CVE-2010-0806!IK
Authentium    2010.03.30    JS/Cosmu.A
Avast    4.8.1351.0    2010.03.30    JS:CVE-2010-0806-C
Avast5    5.0.332.0    2010.03.30    JS:CVE-2010-0806-C
AVG    2010.03.29    Exploit
BitDefender    7.2    2010.03.30    Exploit.Cosmu.A
eSafe    2010.03.28    JS.CVE2010-0806
eTrust-Vet    35.2.7396    2010.03.30    JS/Dish!exploit
F-Prot    2010.03.30    JS/Cosmu.A
F-Secure    9.0.15370.0    2010.03.30    Exploit.Cosmu.A
Fortinet    2010.03.30    JS/CVE20100806.B!exploit
GData    19    2010.03.30    Exploit.Cosmu.A
Ikarus    T3.    2010.03.30    Exploit.JS.CVE-2010-0806
Kaspersky    2010.03.30    Exploit.JS.CVE-2010-0806.b
Microsoft    1.5605    2010.03.30    Exploit:JS/CVE-2010-0806
nProtect    2009.1.8.0    2010.03.30    Exploit.Cosmu.A
Sophos    4.52.0    2010.03.30    Troj/ExpJS-R
Sunbelt    6117    2010.03.30    Trojan.JS.BOFExploit (v)
VirusBuster    2010.03.30    JS.BOFExploit.Gen
Additional information
File size: 6494 bytes
MD5...: fcfeb0287f172a2c58f680fcd120ea48 has one IP number , which is the same as for, but the reverse is and point to the same IP. is delegated to two nameservers, however one delegated nameserver is missing in the zone. Incoming mail for is handled by seven mailservers having a total of 28 IP numbers. Some of them are on the same IP network. is hosted on a server in Korea. It is not listed in any blacklists.
      ISP:    KRNIC
      Organization:    Hanbiro, Inc.
       Country:    Korea, Republic of
      State/Region:    Soul-t'ukpyolsi
      City:    Seoul

Mar 30 CVE-2009-4324 PDF China and Foreign Military Modernization from

 Download d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf as a password protected archive (please contact me if you need the password)

Details d7520d1957d5ef26e068727fac4c4f02 WebMemo.pdf 

From: Dean Cheng []
Sent: 2010-03-30 9:18 AM
Subject: China and Foreign Military Modernization

Dear Folks,

One of the little-noticed actions in the recently concluded session of the Chinese National People’s Congress was the enactment of a National Defense Mobilization Law. In an age when conventional conflicts are planned to conclude in a matter of days or weeks, it is striking that the People’s Republic of China  (PRC) should choose to ensure its readiness for a protracted war. Indeed, it suggests that the People’s Liberation Army (PLA) is thinking about future wars in a very different way from their Western counterparts, where full-scale mobilization is rarely discussed at all. Whereas the U.S. and its allies have mostly neglected the prospect of a prolonged high-intensity conflict, the PLA appears intent on preparing for both short- and long-term wars.

The actions of the National People’s Congress have distinct implications for U.S. defense planners, as they portend an opponent who may choose to fight a protracted conflict—but with anti-ship missiles rather than IEDs. And it should also raise questions among foreign investors—how might their facilities and assets be treated in the event of a crisis?

We have drafted a memo to this regards as attached. Your inputs are highly appreciated.

Best regards,

Dean Cheng
Research Fellow, Asian Studies Cente
File WebMemo.pdf received on 2010.03.30 16:20:37 (UTC)
Result: 8/42 (19.05%)
Avast     4.8.1351.0     2010.03.30     JS:Pdfka-XX
Avast5     5.0.332.0     2010.03.30     JS:Pdfka-XX
BitDefender     7.2     2010.03.30     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.03.30     Exploit.PDF-JS.Gen
GData     19     2010.03.30     Exploit.PDF-JS.Gen
Kaspersky     2010.03.30     Exploit.JS.Pdfka.bvz
Microsoft     1.5605     2010.03.30     Exploit:Win32/Pdfjsc.gen!A
nProtect     2009.1.8.0     2010.03.30     Exploit.PDF-JS.Gen
Additional information
File size: 201777 bytes
MD5   : d7520d1957d5ef26e068727fac4c4f02
Type: PDF Exploit call to media.newPlayer CVE-2009-4324
XOR Key:0x[]



Monday, March 29, 2010

Malware links March 2010

If you are looking for links to download samples, look here Links and resources for malware samples

  • hxxp://    JS/Exploit.ADODB.Stream.NAP trojan   
  •  hxxp:// contains PDF/Exploit.Gen trojan.
  • hxxp:// contains a variant of Win32/AdInstaller 
  • hxxp:// contains JS/Exploit.Pdfka.BXK trojan.
  • hxxp:// contains Win32/Adware.SpywareProtect2009 application.
  • hxxp:// .asp/oHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd7201l0409K5c3a3a34317 contains JS/Exploit.Pdfka.BXK trojan. 
  • hxxp:// .asp/eHbcb9bc6cV0100f070006Rbab08f6d102Tf70a1fd2201l0409K5c3a3a34318J0f0006010 contains Win32/Adware.SpywareProtect2009 application.
  •   JS/TrojanDownloader.Pegel.AA  
  • hxxp://    a variant of Win32/AdInstaller       
  • hxxp://    a variant of Win32/AdInstaller 
  •  hxxp://    a variant of Win32/AdInstaller             
  • hxxp://    JS/TrojanDownloader.Iframe.NHK trojan          
  • hxxp://    JS/TrojanDownloader.Iframe.NHK trojan   
  • hxxp://    multiple threats      
  • hxxp://    HTML/Iframe.B.Gen virus  
  • hxxp:// .asp/oU230d9c2eHbcb9bc6cV0100f070006R8c1977ae102Tf7326dcc201l0409K7959373b317    JS/Exploit.Pdfka.NTY trojan                      
  • hxxp://    JS/Exploit.Pdfka.NUI trojan          
  • hxxp://    JS/Exploit.Pdfka.NUI trojan          
  •  hxxp://    a variant of Win32/Kryptik.DHM trojan   
  • hxxp://    JS/Exploit.Pdfka.NUI trojan              
  • hxxp://    JS/Exploit.Pdfka.NUI trojan      
  • hxxp://    PDF/Exploit.Pidief.OJS.Gen trojan     
  •  hxxp://    a variant of Win32/Adware.HotBar.E application 
  • hxxp://    JS/Exploit.Pdfka.NUI trojan      
  •  hxxp://    multiple threats   
  •  hxxp://    JS/Exploit.Pdfka.BQP trojan          
  • hxxp://    JS/TrojanDownloader.Agent.NTN trojan    
  • hxxp://    JS/TrojanDownloader.Agent.NRN trojan        
  • hxxp://    HTML/ScrInject.B.Gen virus                       
    hxxp://    a variant of Win32/Kryptik.DFC trojan         
  • hxxp://    JS/Exploit.Agent.NBA trojan              

Sunday, March 28, 2010

Mar 28 CVE-2010-0806 IE 0-day U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered from

Malicious link hxxp://

Here is more more piece of news from the same source as earlier today. Maybe they hope we abandon BBC World News and switch to their agency.

From: Richard Mark []
Sent: Sunday, March 28, 2010 11:17 PM
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered


In Korea, Divide and be Conquered

Brookings Senior Fellow Michael O'Hanlon argues that, for a number of practical
reasons, 2012 may prove too soon to transfer wartime operational control of
South Korean forces to Korean command. O'Hanlon writes that if there is a
need to evaluate the 2012 plan afresh, that should happen without apology,
without undue haste and without any predetermined conclusion.

Read More

Header info
Received: from [] by via HTTP;
 Sun, 28 Mar 2010 20:17:26 PDT
X-Mailer: YahooMailRC/324.3 YahooMailWebService/
Date: Sun, 28 Mar 2010 20:17:26 -0700
From: Richard Mark
Subject: U.S.-ROK ALLIANCE... In Korea, Divide and be Conquered

Sender ip info        Hostname:
      ISP:    China Unicom Beijing Province Network
      Organization:    China Unicom Beijing Province Network
      Proxy:    Suspected network sharing device.
      Country:    China
      State/Region:    Beijing
      City:    Beijing

The exploit and all other details are the same as in this post from earlier today

Saturday, March 27, 2010

Mar 27 CVE-2010-0806 IE 0-day Dozens missing after ship sinks near North Korea from

Malicious link  hxxp:// (still active on March 27, 2010) -  Internet Explorer Zero day exploit

Download  043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)

Details on the link and files

    From: Kevin Bohn []
    Sent: Saturday, March 27, 2010 7:35 AM
    Subject: Dozens missing after ship sinks near North Korea

    Dozens missing after ship sinks near North Korea
    a navy ship sank in tense Yellow Sea waters off the coast of North Korea.

    Detail Story
    Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.

    Received: from SNT112-W16 ([]) by
     with Microsoft SMTPSVC(6.0.3790.3959);     Sat, 27 Mar 2010 04:34:39 -0700
    Content-Type: multipart/alternative;
    X-Originating-IP: []
    From: Kevin Bohn
    Sender ip info 
          ISP:    China Unicom Beijing Province Network
          Organization:    China Unicom Beijing Province Network
          Proxy:    Suspected network sharing device.
          Country:    China
          State/Region:    Beijing
          City:    Beijing

    Site host info from hxxp:// 
    Organization: PIRADIUS NET
    Country: Malaysia
    State/Region: Johor
    City: Johor Bahru
    Exploit info
    Please see Trancer's post with more details about the exploit and explanation by Praetorian Prefect


    Tested on Windows XP SP2 Internet Explorer  7

    The following files were created:

    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm
    %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe

    File test.htm received on 2010.03.27 21:26:17 (UTC)
    Result: 3/42 (7.14%)
    Print results Print results
    AVG     2010.03.27     Script/Exploit
    Microsoft     1.5605     2010.03.27     Exploit:JS/CVE-2010-0806
    Sunbelt     6101     2010.03.26     Trojan.JS.BOFExploit (v)

      File winint32.exe received on 2010.03.27 21:29:06 (UTC)
    Result: 3/42 (7.15%)
    Microsoft    1.5605    2010.03.27    Trojan:Win32/Tapaoux.A
    Panda    2010.03.27    Suspicious file
    Symantec    20091.2.0.41    2010.03.27    Suspicious.Insight
    File size: 357344 bytes
    MD5...: 043d308bfda76e35122567cf933e1b2a

    Anubis Report

    Thursday, March 25, 2010

    Mar 25 CVE-2010-0188 PDF Re: conference memo from

    Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

    Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

    This is a fake conversation - it is a semi interesting social engineering trick.
    From: Lee []
    Sent: Thursday, March 25, 2010 11:11 PM
    Subject: Re: conference memo

    Who are you?What do you mean?.This conference memo  is nothing with me.

    On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
    Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.


    Virustotal report
     File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
    Result: 4/42 (9.53%)
    F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
    PCTools    2010.03.28    HeurEngine.Pdexe
    Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
    Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
    File size: 76137 bytes
    MD5...: c9c89ebc508c783defe7042eb9c0e5cc

    parsed with  

    Wednesday, March 24, 2010

    Mar 24 CVE-2008-0081 XLS 2010_ beauty calendar from

    Download 7d5b0b8274e189d406cc3374f994e441 - 2010_.xls as a password protected archive (please contact me if you need the password)

    2010_ beauty calendar

     From: bruce Mr. []
    Sent: Wednesday, March 24, 2010 4:44 AM
    To XXXXX
    Subject: 2010_美女月曆
    Importance: Low


    Received: from [] by with NNFMP; 24 Mar 2010 08:44:02 -0000
    Received: from [] by with NNFMP; 24 Mar 2010 08:43:51 -0000
    X-Yahoo-Newman-Property: ymail-3

          ISP:    TAIPEI, TAIWAN
          Organization:    TAIPEI, TAIWAN
          Country:    Taiwan
          State/Region:    T'ai-pei
          City:    Taipei

     File 2010_.xls received on 2010.03.24 21:01:09 (UTC)
    Result: 12/42 (28.58%)
    a-squared    2010.03.24    Exploit.MSExcel.Agent!IK
    Antiy-AVL    2010.03.24    Exploit/MSExcel.Agent
    Authentium    2010.03.24    MSExcel/Dropper.B!Camelot
    Comodo    4372    2010.03.24    UnclassifiedMalware
    F-Prot    2010.03.24    File is damaged
    Fortinet    2010.03.24    MSExcel/UDDesc.A!exploit.M20080081
    Ikarus    T3.    2010.03.24    Exploit.MSExcel.Agent
    Kaspersky    2010.03.24    Exploit.MSExcel.Agent.u
    McAfee    5930    2010.03.24    Exploit-MSExcel.h
    McAfee+Artemis    5930    2010.03.24    Exploit-MSExcel.h
    McAfee-GW-Edition    6.8.5    2010.03.24    Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
    File size: 109184 bytes
    MD5...: 7d5b0b8274e189d406cc3374f994e441