CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Download 61A29B7D8A6C3A03A884F2F64BE5CA21 ATT42396.zip as a password protected archive (contact me if you need the password)I have more samples of this CVE, different MD5. Email me if needed
Details 61A29B7D8A6C3A03A884F2F64BE5CA21 ATT42396.xls
From: 陳志良 [mailto:taup@msa.hinet.net]
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls
很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls
很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食
From: Zhi-Liang Chen [mailto: taup@msa.hinet.net] Sent: Thursday, May 13, 2010 10:13 PM To: XXXX Subject: FW: Tri-Service General Hospital Health Examination Center provides health recipes. Xls Very good recipes, lots of publicity so that more people in Taiwan can be a healthy diet
http://www.virustotal.com/analisis/26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6-1274269409
Result: 6/41 (14.64%)
Authentium 5.2.0.5 2010.05.19 MSExcel/Dropper.B!Camelot
Jiangmin 13.0.900 2010.05.19 Heur:Exploit.CVE-2009-3129
PCTools 7.0.3.5 2010.05.19 HeurEngine.MaliciousExploit
Symantec 20101.1.0.89 2010.05.19 Bloodhound.Exploit.306
TrendMicro 9.120.0.1004 2010.05.19 TROJ_EXELDROP.A
TrendMicro-HouseCall 9.120.0.1004 2010.05.19 TROJ_EXELDROP.A
Additional information
File size: 64512 bytes
MD5...: 61a29b7d8a6c3a03a884f2f64be5ca21
header info
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
Hostname: 203-69-74-246.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Yamma Digital Technology Co., Ltd.
State/Region: T'ai-pei
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Yamma Digital Technology Co., Ltd.
State/Region: T'ai-pei
Vicheck.ca report
http://www.blogger.com/goog_1411011961
File: ATT42396.xls
File size: 64512 bytes
File type: Microsoft Office Document
MD5: 61a29b7d8a6c3a03a884f2f64be5ca21
SHA1: 2fc4c0a5bdb0904d5f81bb5903835996b83998b9
SHA256: 26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6
SSDEEP: 768:pLLLkR25sNyJPGS75lY6k7csXtHbbPXCCMgp7eeevR2I7uyoALY+1Vy:pLLLDb5KcXm7eeeBAALn14
Reported: 2010-05-14 04:44:35
Detection engine: 170
Result: Embedded Executable
Confidence: 100
Detected entities: [Beta Analysis Report] ---- see hereFile size: 64512 bytes
File type: Microsoft Office Document
MD5: 61a29b7d8a6c3a03a884f2f64be5ca21
SHA1: 2fc4c0a5bdb0904d5f81bb5903835996b83998b9
SHA256: 26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6
SSDEEP: 768:pLLLkR25sNyJPGS75lY6k7csXtHbbPXCCMgp7eeevR2I7uyoALY+1Vy:pLLLDb5KcXm7eeeBAALn14
Reported: 2010-05-14 04:44:35
Detection engine: 170
Result: Embedded Executable
Confidence: 100
Shellcode detected at 30403 1890 bytes
Embedded Executable: CloseHandle [33878]
Embedded Executable: GetProcAddress [33920]
Embedded Executable: LoadLibraryA [33938]
Embedded Executable: CreateFileA [34084]
Embedded Executable: KERNEL32 [34200]
Embedded Executable: Advapi32.dll [34276]
Embedded Executable: GetModuleHandleA [34692]
Search type: plaintext
Matching: full
Key Length: 0 bytes
Key Unique Sum: More
Key Location: @0 bytes
Key Accuracy: 0.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
Type: Embedded Executable
XOR Key: 0x[]
Shellcode Scan:
Shellcode @ 30403.Exploit Scan:
Exploit: shellcode found @30403.Sandbox report:
Files dropped:C:\[Documents and Settings]\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\opa12.dat [8b7a6fc84edbb9b9c2164f3227a8c945/8200 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\15759453.cvr [31a8cb3f7abbed7b044470f7c27c3c61/1184 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\15759453.od [e5bb622a1bc4d61498cb943f625d0385/134 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\dw.log [418747c2175f003e0a93d70117fb98d3/13 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\F07C93.dmp [d5eec5d48c32c0713688ed9eef4da785/3148662 bytes]
Hi, I have tried to run this malwasre with MS Viewer 2003 and 2007. But this is not exploitable on these platforms. Also officecat suggest that this file has CVE-2008-3005/MS08-043 vulnarbility. Can you please tell me the version of office viewer for which this file is malicious.
ReplyDeleteThanks