Pages

Thursday, September 16, 2010

Sep 15 CVE-2010-2883 Adobe 0-Day PDF US Government Programs to Pay Medical Expenses from rodney.cadataa@gmail.com



Download  Beneficial medical programs.pdf and dropped files  as a password protected archive (contact me if you need the password)



From: CENTERS FOR MEDICARE & MEDICAID SERVICES [mailto:rodney.cadataa@gmail.com]
Sent: Wednesday, September 15, 2010 10:22 AM
To: XXXXXXXXXXXXXXXXXX
Subject: US Government Programs to Pay Medical Expenses

There are Federal and state programs available for people with Medicare who have limited income and resources. These programs may help you save on your health care and prescription drug costs.

For More Information
Call or visit your State Medical Assistance (Medicaid) office, and ask for information on Medicaid and Medicare Savings Programs. The names of these programs and how they work may vary by state. Call if you think you qualify for any of these programs, even if you aren't sure.
Call 1-800-MEDICARE (1-800-633-4227), and say "medicaid" to get the telephone number for your state. TTY users should call 1-877-486-2048.





Headers (Gmail, not very useful)
Received: by qwe4 with SMTP id 4so11886qwe.6
        for XXXXXXXXXXXXXX; Wed, 15 Sep 2010 07:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:date:message-id
         :subject:from:to:content-type;
        bh=hSPles8Y36UbD/BgP56IACuJrGeqpqKGQkbIggPKIds=;
        b=kcb52Kj85+usGGI07vdY//pP79euh2g12GAL//1TAzuWHjHpkiB6tFHetwzDhlOeVw
         LqlHN2AND5sWMAJShhH01ZGd40VUA0/mIocdftNxi6AMRHnQ9wJRsfzwdNOVOSBq4Pk+
         NUrB+tzDQe4rVciFVEROkWcVvegqP+lJsZbRA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=Qxk6VI3sAZwe68aCkoYKE23/OnyBTCR7b3I3+AQGDAKlQ8TZSW/11jX8++mNDVNQEe
         qtped59IWkeHXJZncOWSaqYrEnptB+ArTOixPwzAuEE8J9FBsE0ZmJVrhKyukt8y6o8L
         ACGZYyvFuyqq0NK4DtpArM6ccRO3NyGgfsvhI=
MIME-Version: 1.0
Received: by 10.224.61.12 with SMTP id r12mr1163665qah.101.1284560531548; Wed,
 15 Sep 2010 07:22:11 -0700 (PDT)
Received: by 10.229.213.18 with HTTP; Wed, 15 Sep 2010 07:22:11 -0700 (PDT)
Date: Wed, 15 Sep 2010 10:22:11 -0400
Message-ID:
Subject: Fwd: US Government Programs to Pay Medical Expenses
From: "CENTERS FOR MEDICARE & MEDICAID SERVICES"
To: XXXXXXXXXXXXXXXX
Content-Type: multipart/mixed; boundary="0015175cde882cec6404904d0e7b"


File name:
Beneficial medical programs.pdf
http://www.virustotal.com/file-scan/report.html?id=152a18a1f684c00ef4f5d80d2a158a3e84929affe72258d1b2efcad63989cbf3-1284638012
Submission date:
2010-09-16 11:53:32 (UTC)
15/ 43 (34.9%)
Avast    4.8.1351.0    2010.09.16    JS:Pdfka-gen
Avast5    5.0.594.0    2010.09.16    JS:Pdfka-gen
BitDefender    7.2    2010.09.16    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2010.09.16    Exploit.PDF-JS.Gen
GData    21    2010.09.16    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.09.16    Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition    2010.1C    2010.09.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.6103    2010.09.16    Exploit:Win32/Pdfjsc.HX
NOD32    5454    2010.09.16    PDF/Exploit.Gen
Norman    6.06.06    2010.09.15    PDF/Suspicious.D
nProtect    2010-09-16.02    2010.09.16    Exploit.PDF-Name.Gen
Panda    10.0.2.7    2010.09.16    Exploit/PDF.Exploit
PCTools    7.0.3.5    2010.09.16    Trojan.Pidief
Sophos    4.57.0    2010.09.16    Mal/JSShell-B
Symantec    20101.1.1.7    2010.09.16    Trojan.Pidief
Additional information
Show all
MD5   : 32dbd816b0b08878bd332eee299bbec4

Created files
%tmp%\clip.exe
%tmp%\eparty.dll
%tmp%\eparty.exe

Malware Ascii Strings:
eparty.exe
File: eparty.exe
MD5:  0ade988a4302a207926305618b4dad01
Size: 37888

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
[...]
WININET.dll
_stricmp
_strlwr
_strnicmp
ServerDll.dll
read buffer error
cannot open the message file
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.mysundayparty.com
pdeparty.tmp
gdeparty.tmp
peparty.tmp
geparty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-eparty
&hostname=
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=getkys.kys
PID:%5d    PATH:%s
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/asp/kys_allow_put.asp?type=

[...]


eparty.dll
MD5:  68f5a1faff35ad1ecaa1654b288f6cd9
Size: 27649
Ascii Strings:
---------------------------------------------------------------------------
.....
read buffer error
cannot open the message file
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.mysundayparty.com
pdeparty.tmp
gdeparty.tmp
peparty.tmp
geparty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-eparty
&hostname=
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=getkys.kys
PID:%5d    PATH:%s
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/asp/kys_allow_put.asp?type=
%s,get:%s,%d
get:%s,%d
https://www.mysundayparty.com/asp/kys_allow_get.asp?name=
The process has been unsuccessfully killed!
The process has been successfully killed!
cmd /c "echo
cmd /c "
kill
SeShutdownPrivilege
reboot false!
waiting......
reboot
process
network.proxy.http
network.proxy.http_port
NULL
prefs.js



68.178.232.100
 MYSUNDAYPARTY.COM



MYSUNDAYPARTY.COM


Registrant:
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
Registered through:    GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name:    MYSUNDAYPARTY.COM
Created on:    15-Sep-10
Expires on:    15-Sep-11
Last Updated on:    15-Sep-10

Administrative Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Technical Contact:
ryan, debby g.debbei_X@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Domain servers in listed order:
NS09.DOMAINCONTROL.COM
NS10.DOMAINCONTROL.COM





 Click to enlarge the graph for

68.178.232.100
 Hostname:    m1pwwbweb03.prod.mesa1.secureserver.net
ISP:    GoDaddy.com
Organization:    GoDaddy.com
Country:    United States
State/Region:    Arizona
City:    Scottsdale


Anubis report for eparty.exe
http://anubis.iseclab.org/?action=result&task_id=168dda0c90f205044514f313c5920ae89&format=html


File name: eparty.exe = clip.exe
http://www.virustotal.com/file-scan/report.html?id=62605348434477309b11edf512d409afdd89f53f0aa567d91b318b83e69c9090-1284639565
Current status: finished
Result: 16 /43 (37.2%)
AntiVir 8.2.4.52 2010.09.16 HEUR/Malware
Authentium 5.2.0.5 2010.09.16 W32/Heuristic-257!Eldorado
BitDefender 7.2 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
DrWeb 5.0.2.03300 2010.09.16 Trojan.MulDrop.origin
F-Prot 4.6.1.107 2010.09.16 W32/Heuristic-257!Eldorado
F-Secure 9.0.15370.0 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
GData 21 2010.09.16 Gen:Trojan.Heur.RP.cqW@aqLpqRob
K7AntiVirus 9.63.2522 2010.09.15 Riskware
Kaspersky 7.0.0.125 2010.09.16 Heur.Trojan.Generic
McAfee-GW-Edition 2010.1C 2010.09.16 Heuristic.BehavesLike.Win32.Rootkit.H
Microsoft 1.6103 2010.09.16 Trojan:Win32/Wisp.gen!A
NOD32 5454 2010.09.16 probably a variant of Win32/Wisp.A
Panda 10.0.2.7 2010.09.16 Suspicious file
Sophos 4.57.0 2010.09.16 Mal/Dropper-Y
Sunbelt 6882 2010.09.16 BehavesLike.Win32.Malware.tsc (mx-v)
VBA32 3.12.14.0 2010.09.16 Trojan.Win32.Inject.2
Additional informationShow all 
MD5   : 0ade988a4302a207926305618b4dad01


 eparty.dll
Result: 6/ 43 (14.0%)
http://www.virustotal.com/file-scan/report.html?id=cf656854e07999b89e1e751f0865a22c88e18b60019937eb99f95709b06d169c-1284657179
AhnLab-V3 2010.09.16.01 2010.09.16 Backdoor/Win32.CSon
AntiVir 8.2.4.52 2010.09.16 HEUR/Malware
Microsoft 1.6103 2010.09.16 Trojan:Win32/Wisp.gen!A
NOD32 5455 2010.09.16 a variant of Win32/Wisp.B
Prevx 3.0 2010.09.16 Medium Risk Malware
VBA32 3.12.14.0 2010.09.16 suspected of Win32.Trojan.Downloader
MD5   : 68f5a1faff35ad1ecaa1654b288f6cd9



No comments:

Post a Comment