Friday, May 28, 2010

May 28 CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from

Update: Noticed an ineresting post by Nart Villeneuve (Internet Censorship Explorer) regarding this malware and decided to update and resurrect the post 

 Download  4f681733fd9e473c09f967fa87c9faef  EIDHR.xls and all the files described below as a password protected archive (contact me if you need the password)

From: [] On Behalf Of ??
Sent: Friday, May 28, 2010 2:31 AM
Subject: 關於EIDHR項目


Sent: Monday, May 24, 2010 6:15 PM
Subject: FW: EIDHR 项目征求书

1. 思考自由,宗教自由和信仰自由的权利
2. 言论和表达的自由,包括艺术和文化的表达,信息和沟通的权利,包括媒体自由,反对审查和网络自由
3. 和平集会和结社自由的权利,包括建立和参加工会的权利
4. 在一国境内自由行动的权利,离开任何国家(包括本国)和回到本国的权利
项目的资助总额最低为15万欧元,最高为120万欧元。项目的延续时间应不少于18个月,但不超过3年。比较重要的是附件中的项目指导,首先需要提交一个简短的项目概念书,申请的最后期限是6月15日。项目申请时要填写链接中的Annex A,B,C 等表格。
1. 通过PADOR系统注册申请。
2. 或将申请所需的项目概念书以及表格A,B,C寄往如下地址:
European Commission
EuropeAid Co-operation Office
   Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector
   Office: L-41 03/154
   B - 1049 Brussels
European Commission   
            EuropeAid Cooperation Office
Unit F4 – Finances, Contracts and Audit for thematic budget lines
   Call for Proposals Sector          
   Office: L-41 03/154
            Central Mail Service     
            Avenue du Bourget 1    
            B-1140 Brussels (Evère)

See machine translation in the end

Received: (qmail 3230 invoked from network); 28 May 2010 06:31:58 -0000
Received: from (HELO (  by XXXXXXXXXXXXXXXXXXX with SMTP; 28 May 2010 06:31:58 -0000
Received: from sppfszwr (unknown [])
    by (EMOS V1.5 (Postfix)) with ESMTPA id 37B71109A81
From: =?utf-8?B?5by16Iux?=
Subject: =?utf-8?B?6Zec5pa8RUlESFLpoIXnm64=?=
Date: Fri, 28 May 2010 14:31:10 +0800

ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
State/Region:    Jiangsu
City:    Suzhou

File EIDHR.xls received on 2010.06.02 04:13:50 (UTC)
Result: 17/41 (41.47%)
a-squared    2010.06.02    Trojan-Dropper.MSExcel.Agent!IK
AntiVir    2010.06.01    TR/Drop.MSExcel.Agent.BC
Antiy-AVL    2010.06.01    Trojan/MSExcel.Agent
Authentium    2010.06.02    MSExcel/Dropper.B!Camelot
BitDefender    7.2    2010.06.02    Exploit.D-Encrypted.Gen
F-Secure    9.0.15370.0    2010.06.02    Exploit.D-Encrypted.Gen
GData    21    2010.06.02    Exploit.D-Encrypted.Gen
Ikarus    T3.    2010.06.02    Trojan-Dropper.MSExcel.Agent
Jiangmin    13.0.900    2010.05.31    Heur:Exploit.CVE-2009-3129
Kaspersky    2010.06.02    Trojan-Dropper.MSExcel.Agent.bc
McAfee-GW-Edition    2010.1    2010.06.02    Heuristic.BehavesLike.Exploit.X97.CodeExec.EBEB
Norman    6.04.12    2010.06.01    ShellCode.B
nProtect    2010-06-01.02    2010.06.01    Exploit.D-Encrypted.Gen
PCTools    2010.06.02    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.02    Bloodhound.Exploit.306
TrendMicro    2010.06.02    TROJ_MDROPR.MRV
TrendMicro-HouseCall    2010.06.02    TROJ_MDROPR.MRV
Additional information
File size: 64166 bytes
MD5...: 4f681733fd9e473c09f967fa87c9faef

Excel successfully opens, displaying hello, and a Chinese font set as default. The properties show that it was created on a Lenovo (Beijing) Limited laptop.

Files created

  1. D52EF63FDC5C5452D9DA23BD6D4BF0F5 %userprofile%\Local Settings\Temp\1001.tmp11kb  0/41 Virustotal
  2. D52EF63FDC5C5452D9DA23BD6D4BF0F5 C:\WINDOWS\ntshrui.dll  11kb  0/41 Virustotal
  3. A363ABE09A44176386C50EE887359270 %userprofile%\Local Settings\Temp\set.xls  17kb  -clean spreadsheet you see above

Upon reboot, it is copied to system32 as well

File: ntshrui.dll
MD5:  d52ef63fdc5c5452d9da23bd6d4bf0f5
Size: 10720

Handle,            Owner,                     Object,
0x01710000    1660: explorer.exe    C:\WINDOWS\ntshrui.dll
0x76990000    1660: explorer.exe    C:\WINDOWS\system32\ntshrui.dll
 File ntshrui.dll received on 2010.06.02 11:01:06 (UTC)
Result: 0/41 (0%)
Additional information
File size: 10720 bytes
MD5...: d52ef63fdc5c5452d9da23bd6d4bf0f5

The file ntshrui.dll is digitally signed - signature is invalid

Certificate is issued by Root Agency

TCP Traffic to  is a domain controlled by two name servers at
Having a total of four IP numbers. All four of them are on different IP networks.
The name server peanutmail.newpeanut.idc  stated in SOA record is not in the list of name servers.  has one IP number.,,,, and at least 56 other hosts share name servers with this domain. is hosted on a server in China.
Reputation is not yet known.It is not listed in any blacklists.Search for
Domain Name: 360LIVEUPDATE.COM
Whois Server:
Referral URL:
Name Server: NS1.ORAY.NET
Name Server: NS2.ORAY.NET
Status: ok
Updated Date: 29-jul-2009
Creation Date: 29-jul-2009
Expiration Date: 29-jul-2010

ISP:    CHINANET jiangsu province network
Organization:    CHINANET jiangsu province network
Type:    Broadband
State/Region:    Jiangsu
City:    Wuxi

In a few minutes after the reboot, we find a file named Explorer in the %systemroot%
 Explorer is  a text log of all explorer.exe activities. This is a common type of keylogger, see the picture below

Vicheck results

From: [mailto:] On Behalf Of??Sent: Friday, May 28, 2010 2:31 AMTo: XXXXXXSubject: About EIDHR ProjectOf youEIDHR European project on detailed consultation with my friends in the EU, in order to apply a smooth, they still need to add some information, specific items of information and content outline are attached to the back, and wish you well.Zhang YingFrom: SHARPE Simon (RELEX-BEIJING)Sent: Monday, May 24, 2010 6:15 PMSubject: FW: EIDHR project request for proposalsHello, everybody:
The EU now has a EIDHR projects seek. The purpose of the project is funded projects to promote human rights, covering a wide area. We can share with other interested friends to this information.
The theme of project activitiesThe plan has the following themes will be given priority:1. Thinking, freedom of religion and belief and freedom2. Freedom of speech and freedom of expression, including arts and cultural expression, information and communication rights, including media freedom, freedom against censorship and network3. Peaceful assembly and freedom of association rights, including the right to establish and join trade unions4. In a country the right to freedom of movement, to leave any country (including their own) and the right to return to their
Project activitiesProject activities can range from monitoring, advocacy, public information, raising aware of capacity building, training, and dialogue with stakeholders and a series of forms. Ultimate goal is to improve the country's civil society organizations autonomy.The minimum total project funding of 15 million euros, up 120 million euros. Project duration should be less than 18 months, but not more than 3 years. More important is the annex of the project steering, first need to submit a brief project concept book, the application deadline is June 15. Project application to fill out the link in the Annex A, B, C and so on form.There are two ways to apply:1. PADOR system through the application for registration. Or to apply for the Project Idea and the Form A, B, C Mailing Address:Mailing address
European CommissionEuropeAid Co-operation Office
Unit F4 - Finances, Contracts and Audit for thematic budget lines
Call for Proposals Sector
Office: L-41 03/154
B - 1049 BrusselsBELGIUM
Express Address
European Commission
EuropeAid Cooperation OfficeUnit F4 - Finances, Contracts and Audit for thematic budget lines
Call for Proposals Sector
Office: L-41 03/154
Central Mail Service
Avenue du Bourget 1
B-1140 Brussels (Evère)BELGIUM
Details on the project in https: / / / europeaid / onlineservices / index.cfm? Do = publi.welcome & nbPubliList = 15 & orderby = upd & orderbyad = Desc & searchtype = RS & aofr = 126352If you need more information, please feel free to contact us. Thank you!
EU Delegation Ming Xia


  1. Very nice thread ! Thx a lot for your analyse!

  2. This comment has been removed by a blog administrator.