CVE-2010-2883 Security Advisory for Adobe Reader and Acrobat
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
Download Beneficial medical programs.pdf and dropped files as a password protected archive (contact me if you need the password)
From: CENTERS FOR MEDICARE & MEDICAID SERVICES [mailto:rodney.cadataa@gmail.com]
Sent: Wednesday, September 15, 2010 10:22 AM
To: XXXXXXXXXXXXXXXXXX
Subject: US Government Programs to Pay Medical Expenses
There are Federal and state programs available for people with Medicare who have limited income and resources. These programs may help you save on your health care and prescription drug costs.
For More Information
Call or visit your State Medical Assistance (Medicaid) office, and ask for information on Medicaid and Medicare Savings Programs. The names of these programs and how they work may vary by state. Call if you think you qualify for any of these programs, even if you aren't sure.
Call 1-800-MEDICARE (1-800-633-4227), and say "medicaid" to get the telephone number for your state. TTY users should call 1-877-486-2048.
Headers (Gmail, not very useful)
Received: by qwe4 with SMTP id 4so11886qwe.6
for XXXXXXXXXXXXXX; Wed, 15 Sep 2010 07:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:received:date:message-id
:subject:from:to:content-type;
bh=hSPles8Y36UbD/BgP56IACuJrGeqpqKGQkbIggPKIds=;
b=kcb52Kj85+usGGI07vdY//pP79euh2g12GAL//1TAzuWHjHpkiB6tFHetwzDhlOeVw
LqlHN2AND5sWMAJShhH01ZGd40VUA0/mIocdftNxi6AMRHnQ9wJRsfzwdNOVOSBq4Pk+
NUrB+tzDQe4rVciFVEROkWcVvegqP+lJsZbRA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=Qxk6VI3sAZwe68aCkoYKE23/OnyBTCR7b3I3+AQGDAKlQ8TZSW/11jX8++mNDVNQEe
qtped59IWkeHXJZncOWSaqYrEnptB+ArTOixPwzAuEE8J9FBsE0ZmJVrhKyukt8y6o8L
ACGZYyvFuyqq0NK4DtpArM6ccRO3NyGgfsvhI=
MIME-Version: 1.0
Received: by 10.224.61.12 with SMTP id r12mr1163665qah.101.1284560531548; Wed,
15 Sep 2010 07:22:11 -0700 (PDT)
Received: by 10.229.213.18 with HTTP; Wed, 15 Sep 2010 07:22:11 -0700 (PDT)
Date: Wed, 15 Sep 2010 10:22:11 -0400
Message-ID:
Subject: Fwd: US Government Programs to Pay Medical Expenses
From: "CENTERS FOR MEDICARE & MEDICAID SERVICES"
To: XXXXXXXXXXXXXXXX
Content-Type: multipart/mixed; boundary="0015175cde882cec6404904d0e7b"
File name:
Beneficial medical programs.pdf
http://www.virustotal.com/file-scan/report.html?id=152a18a1f684c00ef4f5d80d2a158a3e84929affe72258d1b2efcad63989cbf3-1284638012
Submission date:
2010-09-16 11:53:32 (UTC)
15/ 43 (34.9%)
Avast 4.8.1351.0 2010.09.16 JS:Pdfka-gen
Avast5 5.0.594.0 2010.09.16 JS:Pdfka-gen
BitDefender 7.2 2010.09.16 Exploit.PDF-JS.Gen
F-Secure 9.0.15370.0 2010.09.16 Exploit.PDF-JS.Gen
GData 21 2010.09.16 Exploit.PDF-JS.Gen
Kaspersky 7.0.0.125 2010.09.16 Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition 2010.1C 2010.09.16 Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft 1.6103 2010.09.16 Exploit:Win32/Pdfjsc.HX
NOD32 5454 2010.09.16 PDF/Exploit.Gen
Norman 6.06.06 2010.09.15 PDF/Suspicious.D
nProtect 2010-09-16.02 2010.09.16 Exploit.PDF-Name.Gen
Panda 10.0.2.7 2010.09.16 Exploit/PDF.Exploit
PCTools 7.0.3.5 2010.09.16 Trojan.Pidief
Sophos 4.57.0 2010.09.16 Mal/JSShell-B
Symantec 20101.1.1.7 2010.09.16 Trojan.Pidief
Additional information
Show all
MD5 : 32dbd816b0b08878bd332eee299bbec4
Created files
%tmp%\clip.exe
%tmp%\eparty.dll
%tmp%\eparty.exe
Malware Ascii Strings:
eparty.exe
File: eparty.exe
MD5: 0ade988a4302a207926305618b4dad01
Size: 37888
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
[...]
WININET.dll
_stricmp
_strlwr
_strnicmp
ServerDll.dll
read buffer error
cannot open the message file
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.mysundayparty.com
pdeparty.tmp
gdeparty.tmp
peparty.tmp
geparty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-eparty
&hostname=
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=getkys.kys
PID:%5d PATH:%s
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/asp/kys_allow_put.asp?type=
[...]
eparty.dll
MD5: 68f5a1faff35ad1ecaa1654b288f6cd9
Size: 27649
Ascii Strings:
---------------------------------------------------------------------------.....
read buffer error
cannot open the message file
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.mysundayparty.com
pdeparty.tmp
gdeparty.tmp
peparty.tmp
geparty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-eparty
&hostname=
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=getkys.kys
PID:%5d PATH:%s
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/asp/kys_allow_put.asp?type=
%s,get:%s,%d
get:%s,%d
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=
The process has been unsuccessfully killed!
The process has been successfully killed!
cmd /c "echo
cmd /c "
kill
SeShutdownPrivilege
reboot false!
waiting......
reboot
process
network.proxy.http
network.proxy.http_port
NULL
prefs.js
68.178.232.100 | MYSUNDAYPARTY.COM |
MYSUNDAYPARTY.COM |
Registrant:
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MYSUNDAYPARTY.COM
Created on: 15-Sep-10
Expires on: 15-Sep-11
Last Updated on: 15-Sep-10
Administrative Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --
Technical Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --
Domain servers in listed order:
NS09.DOMAINCONTROL.COM
NS10.DOMAINCONTROL.COM
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MYSUNDAYPARTY.COM
Created on: 15-Sep-10
Expires on: 15-Sep-11
Last Updated on: 15-Sep-10
Administrative Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --
Technical Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --
Domain servers in listed order:
NS09.DOMAINCONTROL.COM
NS10.DOMAINCONTROL.COM
Click to enlarge the graph for
68.178.232.100 |
ISP: GoDaddy.com
Organization: GoDaddy.com
Country: United States
State/Region: Arizona
City: Scottsdale
Anubis report for eparty.exe
http://anubis.iseclab.org/?action=result&task_id=168dda0c90f205044514f313c5920ae89&format=html
Current status: finished
Result: 16 /43 (37.2%)
AntiVir 8.2.4.52 2010.09.16 HEUR/Malware
Authentium 5.2.0.5 2010.09.16 W32/Heuristic-257!Eldorado
BitDefender 7.2 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
DrWeb 5.0.2.03300 2010.09.16 Trojan.MulDrop.origin
F-Prot 4.6.1.107 2010.09.16 W32/Heuristic-257!Eldorado
F-Secure 9.0.15370.0 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
GData 21 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
K7AntiVirus 9.63.2522 2010.09.15 Riskware
Kaspersky 7.0.0.125 2010.09.16 Heur.Trojan.Generic
McAfee-GW-Edition 2010.1C 2010.09.16 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.6103 2010.09.16 Trojan:Win32/Wisp.gen!A
NOD32 5454 2010.09.16 probably a variant of Win32/Wisp.A
Panda 10.0.2.7 2010.09.16 Suspicious file
Sophos 4.57.0 2010.09.16 Mal/Dropper-Y
Sunbelt 6882 2010.09.16 BehavesLike.Win32.Malware.tsc (mx-v)
VBA32 3.12.14.0 2010.09.16 Trojan.Win32.Inject.2
Additional informationShow all
MD5 : 0ade988a4302a207926305618b4dad01
eparty.dll
Result: 6/ 43 (14.0%)
http://www.virustotal.com/file-scan/report.html?id=cf656854e07999b89e1e751f0865a22c88e18b60019937eb99f95709b06d169c-1284657179
AhnLab-V3 2010.09.16.01 2010.09.16 Backdoor/Win32.CSon
AntiVir 8.2.4.52 2010.09.16 HEUR/Malware
Microsoft 1.6103 2010.09.16 Trojan:Win32/Wisp.gen!A
NOD32 5455 2010.09.16 a variant of Win32/Wisp.B
Prevx 3.0 2010.09.16 Medium Risk Malware
VBA32 3.12.14.0 2010.09.16 suspected of Win32.Trojan.Downloader
MD5 : 68f5a1faff35ad1ecaa1654b288f6cd9
No comments:
Post a Comment