Pages

Thursday, May 13, 2010

May 13 CVE-2009-3129 XLS General Hospital service from taup@msa.hinet.net

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." 

From: 陳志良 [mailto:taup@msa.hinet.net]
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls

很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食

From: Zhi-Liang Chen [mailto: taup@msa.hinet.net] Sent: Thursday, May 13, 2010 10:13 PM To: XXXX Subject: FW: Tri-Service General Hospital Health Examination Center provides health recipes. Xls Very good recipes, lots of publicity so that more people in Taiwan can be a healthy diet

 File ATT42396.xls received on 2010.05.19 11:43:29 (UTC)
http://www.virustotal.com/analisis/26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6-1274269409
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.19    MSExcel/Dropper.B!Camelot
Jiangmin    13.0.900    2010.05.19    Heur:Exploit.CVE-2009-3129
PCTools    7.0.3.5    2010.05.19    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.05.19    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
Additional information
File size: 64512 bytes
MD5...: 61a29b7d8a6c3a03a884f2f64be5ca21

header info 
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
    for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
 State/Region:    T'ai-pei




Vicheck.ca report
http://www.blogger.com/goog_1411011961md5query.php?hash=61a29b7d8a6c3a03a884f2f64be5ca21
File: ATT42396.xls
File size: 64512 bytes
File type: Microsoft Office Document
MD5: 61a29b7d8a6c3a03a884f2f64be5ca21
SHA1: 2fc4c0a5bdb0904d5f81bb5903835996b83998b9
SHA256: 26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6
SSDEEP: 768:pLLLkR25sNyJPGS75lY6k7csXtHbbPXCCMgp7eeevR2I7uyoALY+1Vy:pLLLDb5KcXm7eeeBAALn14
Reported: 2010-05-14 04:44:35
Detection engine: 170
Result: Embedded Executable
Confidence: 100
Detected entities: [Beta Analysis Report]  ---- see here
Shellcode detected at 30403 1890 bytes
Embedded Executable: CloseHandle [33878]
Embedded Executable: GetProcAddress [33920]
Embedded Executable: LoadLibraryA [33938]
Embedded Executable: CreateFileA [34084]
Embedded Executable: KERNEL32 [34200]
Embedded Executable: Advapi32.dll [34276]
Embedded Executable: GetModuleHandleA [34692]
RepositoryStatus
vicheck.caEmbedded Executable
Confidence: 100
Scan hits: 9

VirusTotal.com4/41 (10%) detected malware





Search type: plaintext
Matching: full
Key Length: 0 bytes
Key Unique Sum: More
Key Location: @0 bytes
Key Accuracy: 0.00%
Fuzzy Errors: 0
File XOR Offset: @0 bytes
Type: Embedded Executable
XOR Key: 0x[]


Shellcode Scan:

Shellcode @ 30403.

Exploit Scan:

Exploit: shellcode found @30403.

Sandbox report:

Files dropped:
C:\[Documents and Settings]\ALLUSE~1\APPLIC~1\MICROS~1\OFFICE\DATA\opa12.dat [8b7a6fc84edbb9b9c2164f3227a8c945/8200 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\15759453.cvr [31a8cb3f7abbed7b044470f7c27c3c61/1184 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\15759453.od [e5bb622a1bc4d61498cb943f625d0385/134 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\dw.log [418747c2175f003e0a93d70117fb98d3/13 bytes]
C:\[Documents and Settings]\[Current User]\LOCALS~1\Temp\F07C93.dmp [d5eec5d48c32c0713688ed9eef4da785/3148662 bytes]


1 comment:

  1. Hi, I have tried to run this malwasre with MS Viewer 2003 and 2007. But this is not exploitable on these platforms. Also officecat suggest that this file has CVE-2008-3005/MS08-043 vulnarbility. Can you please tell me the version of office viewer for which this file is malicious.

    Thanks

    ReplyDelete