Apr 23 CVE-2008-4841 DOC Important Message from indianembassy.org.cn

• CVE-2008-4841 The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.

Download  03546e59967af0c2dbf609013934cd07 message-cv.doc as a password protected archive (please contact me for the password, if you need it)


Details 03546e59967af0c2dbf609013934cd07 message-cv.doc

From: polsec@ [mailto:indianembassy.org.cn polsec@indianembassy.org.cn]
Sent: Friday, April 23, 2010 4:30 AM
To: XXXXXXXXXX
Subject: Important Message

Dear sir,

   Pls find attached file .

Regards,

Satish Kumar
Second Secretary,
Embassy of India,
Beijing


http://www.virustotal.com/analisis/7a6b78a4662ceca77e76cd7f2bc08f69a588fc7547db60eb77eb4c328a04c0a8-1272378511

File message-cv.doc received on 2010.04.27 14:28:31 (UTC)
Result: 13/40 (32.50%)
a-squared     4.5.0.50     2010.04.27     Exploit.Win32.CVE-2008!IK
Authentium     5.2.0.5     2010.04.27     MSWord/Dropper.B!Camelot
BitDefender     7.2     2010.04.27     Exploit.MSOffice.Gen
F-Prot     4.5.1.85     2010.04.26     CVE-2006-2389
F-Secure     9.0.15370.0     2010.04.27     Exploit.MSOffice.Gen
Fortinet     4.0.14.0     2010.04.27     MSWord/Agent.Y!exploit
GData     21     2010.04.27     Exploit.MSOffice.Gen
Ikarus     T3.1.1.80.0     2010.04.27     Exploit.Win32.CVE-2008
Jiangmin     13.0.900     2010.04.27     Exploit.MSWord.b
McAfee-GW-Edition     6.8.5     2010.04.27     Heuristic.BehavesLike.Exploit.OLE2.CodeExec.EBKP
Microsoft     1.5703     2010.04.27     Exploit:Win32/CVE-2008-4841
nProtect     2010-04-27.01     2010.04.27     Exploit.MSOffice.Gen
Panda     10.0.2.7     2010.04.26     Trj/1Table.C
Additional information
File size: 292864 bytes
MD5   : 03546e59967af0c2dbf609013934cd07

Headers

Received: from unknown (HELO mail.niit.com.cn) (202.109.110.87)
  by XXXXXXXXXXXXX  with SMTP; 23 Apr 2010 08:30:17 -0000
Received: Fri, 23 Apr 2010 16:30:13 +0800
From: polsec@indianembassy.org.cn       

Hostname:    202.109.110.8
      ISP:    ChinaNet Shanghai Province Network
      Organization:    Business China Trading Company
      Country:    China
      State/Region:    Shanghai
      City:    Shanghai

dl-niit.com, niit.com.cn, okshanghai.com, www.niit.com.cn, mail.niit.com.cn and at least three other hosts point to 202.109.110.87. It is blacklisted in four lists.

dl-niit.com
indianembassy.org.cn
mail.indianembassy.org.cn
mail.niit.com.cn
niit.com.cn
okshanghai.com
www.indianembassy.org.cn

www.niit.com.cn

Domains using this as mail server
indianembassy.org.cn(primary)
niit.com.cn(primary)