Mar 25 CVE-2010-0188 PDF Re: conference memo from jesseandy2@gmail.com

• CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF and all files below as a password protected archive (please contact me if you need the password)

Details c9c89ebc508c783defe7042eb9c0e5cc conference memo.PDF 

This is a fake conversation - it is a semi interesting social engineering trick.

 

From: Lee [mailto:jesseandy2@gmail.com]
Sent: Thursday, March 25, 2010 11:11 PM
To: XXXXXXXXXXXXXX
Subject: Re: conference memo

Who are you?What do you mean?.This conference memo  is nothing with me.

On Thu, Mar 25, 2010 at 4:46 PM,  wrote:
 
Hey,this is the last conference memo, After reading it ,pls send it to Mr Francis,and delete this mail ASAP.

Lee


Virustotal report
http://www.virustotal.com/analisis/49cefe07c61ddce14b2eea7c64a5bc2a97e29e0bbdd0cd52832a1dff0369a523-1269796247
 File conference_memo.PDF received on 2010.03.28 17:10:47 (UTC)
Result: 4/42 (9.53%)
F-Secure    9.0.15370.0    2010.03.28    Exploit:W32/Pidief.CNF
PCTools    7.0.3.5    2010.03.28    HeurEngine.Pdexe
Sophos    4.52.0    2010.03.28    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.03.28    Trojan.Pidief.I
File size: 76137 bytes
MD5...: c9c89ebc508c783defe7042eb9c0e5cc

parsed with pdf-parser.py  

Tested on Windows XP SP2, Adobe Reader 9.3.0

The following files were creaed
%Temp%\conference memo.PDF --- 648b226141fe0304838a6ffc2f2332d0 41094 bytes
%Temp%\temp.tmp -- 3fbd522785b2a14135ab516fb3026c9e  24064 bytes
%Temp%\xxx.exe  ---  91c0a14b4eaa604c7c1b2ca5252c1941 40750 bytes
%Temp%\~.exe- -- 4bcfd4e7b25eab26bca0df684e66603a  31744 bytes

Temp.tmp is injected in explorer.exe

http://www.virustotal.com/analisis/44904e4f7d3dadb963577c431af3bb0cd9834cc086d26e4091f9610702c8c068-1269790727
File xxx.exe received on 2010.03.28 15:38:47 (UTC)
Result: 2/42 (4.77%)
Panda 10.0.2.2 2010.03.28 Suspicious file
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 40750 bytes
MD5...: 91c0a14b4eaa604c7c1b2ca5252c1941


http://www.virustotal.com/analisis/286cf5897196aa911dfec58a561c53b7cf80ad4936f08b7a0f5908d07bd3f382-1269790705
File temp.tmp received on 2010.03.28 15:38:25 (UTC)
Result: 3/42 (7.15%)
AntiVir 7.10.5.241 2010.03.26 HEUR/Malware
McAfee-GW-Edition 6.8.5 2010.03.27 Heuristic.BehavesLike.Win32.Keylogger.L
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 24064 bytes
MD5...: 3fbd522785b2a14135ab516fb3026c9e






File conference_memo.PDF received on 2010.03.28 15:38:56 (UTC)  - this is a clean pdf
File size: 41094 bytes
MD5...: 648b226141fe0304838a6ffc2f2332d0


http://www.virustotal.com/analisis/30007b639954226cda087c550b62ae8b137111298ddbf713a8e7f2a6e8b90654-1269790718
File _.exe received on 2010.03.28 15:38:38 (UTC)
Result: 2/42 (4.77%)
Sophos 4.52.0 2010.03.28 Mal/Behav-053  - see it on Threatexpert -just different md5
Symantec 20091.2.0.41 2010.03.28 Suspicious.Insight
File size: 31744 bytes
MD5...: 4bcfd4e7b25eab26bca0df684e66603a

Network Activities of _.exe
DNS Queries:       betterpeony.com
Query Result: 218.240.54.195
HTTP Conversations:
218.240.54.195:80
GET /xiazai/Rtservera.exe ], Response: [ ]

Full Anubis report of _.exe:
http://anubis.iseclab.org/?action=result&task_id=1e3b88eb20a1d72f455f5bc69c86336ec

  Robtex.com info on 218.240.54.195
      Hostname:    218.240.54.195
      ISP:    China Network Information Center
      Organization:    Beijing Neteon Tech Co, Ltd.
      Assignment:    Static IP
      State/Region:    Beijing
      City:    Beijing
      Longitude:    116.3883
qhsk.cn, jckj.net, zhsq.net, szxdl.net, yhtoy.net and at least eleven other hosts point to 218.240.54.195. It is blacklisted in one list.