Malicious link
hxxp://spot-news.com/test/test.html (still active on March 27, 2010) - Internet Explorer Zero day exploit
Download
043d308bfda76e35122567cf933e1b2a winint32.exe and test.htm as a password protected archive (please contact me if you need the password)
Details on the link and files
From: Kevin Bohn [mailto:kevin.bohn33@hotmail.com]
Sent: Saturday, March 27, 2010 7:35 AM
To: XXXXXXXXXXX
Subject: Dozens missing after ship sinks near North Korea
Dozens missing after ship sinks near North Korea
a navy ship sank in tense Yellow Sea waters off the coast of North Korea.
Detail Story http://www.mofat.go.kr/press/breifing
_______________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now.
Headers
Received: from SNT112-W16 ([65.55.90.199]) by snt0-omc4-s20.snt0.hotmail.com
with Microsoft SMTPSVC(6.0.3790.3959); Sat, 27 Mar 2010 04:34:39 -0700
Message-ID:
Return-Path: kevin.bohn33@hotmail.com
Content-Type: multipart/alternative;
boundary="_2fd4e512-5e88-49c3-96eb-4fc20039c8d1_"
X-Originating-IP: [123.125.156.151]
From: Kevin Bohn
Sender ip info
Hostname: 123.125.156.151
ISP: China Unicom Beijing Province Network
Organization: China Unicom Beijing Province Network
Proxy: Suspected network sharing device.
Country: China
State/Region: Beijing
City: Beijing
Site host info from robtex.com
hxxp://spot-news.com/test/test.html
124.217.255.232
Hostname: 124.217.255.232
ISP: PIRADIUS NET
Organization: PIRADIUS NET
Country: Malaysia
State/Region: Johor
City: Johor Bahru
Exploit info
Please see
Trancer's post with more details about the exploit and explanation by
Praetorian Prefect
hxxp://spot-news.com/test/test.html
Tested on Windows XP SP2 Internet Explorer 7
The following files were created:
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5\J742EA2Y\test.htm
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5NRUWTV44\winint32.exe
Virustotal
test.htm
File test.htm received on 2010.03.27 21:26:17 (UTC)
Result: 3/42 (7.14%)
Print results Print results
AVG 9.0.0.787 2010.03.27 Script/Exploit
Microsoft 1.5605 2010.03.27 Exploit:JS/CVE-2010-0806
Sunbelt 6101 2010.03.26 Trojan.JS.BOFExploit (v)
winint32.exe
File winint32.exe received on 2010.03.27 21:29:06 (UTC)
Result: 3/42 (7.15%)
Microsoft 1.5605 2010.03.27 Trojan:Win32/Tapaoux.A
Panda 10.0.2.2 2010.03.27 Suspicious file
Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight
File size: 357344 bytes
MD5...: 043d308bfda76e35122567cf933e1b2a
Anubis Report