-----Original Message-----
From: XXXXXXXXXXXXXXXXXXXXXXXXXXXXSent: Thursday, September 16, 2010 11:32 AMTo: XXXXXXXXXXXXXXSubject: INTEREST & FOREIGN EXCHANGE RATESDear XXXXXXXXXXXXXXXXXXX,Hope this email finds you well.Maby you are intersted of this article.Apologies for this sudden request, but we would greatly appreciate your advice.Best Regards,----------------------------------------------------------------This message was sent using IMP, the Internet Messaging Program.
HeadersReceived: (qmail 23641 invoked from network); 16 Sep 2010 15:33:10 -0000
Received: from iismx.iis.sinica.edu.tw (HELO iismx.iis.sinica.edu.tw) (140.109.20.49)
by XXXXXXXXXXXX; 16 Sep 2010 15:33:10 -0000
Received: from webmail.iis.sinica.edu.tw ([192.168.0.51])
by iismx.iis.sinica.edu.tw (8.14.3/8.14.3) with ESMTP id o8GFYqvL050905
for; Thu, 16 Sep 2010 23:34:52 +0800 (CST)
(envelope-from XXXXXXXXXXXXXXX)
Received: from webmail.iis.sinica.edu.tw (localhost [127.0.0.1])
by webmail.iis.sinica.edu.tw (8.13.8/8.13.8) with ESMTP id o8GFVqXC099684
for; Thu, 16 Sep 2010 23:31:52 +0800 (CST)
(envelope-from XXXXXXXXXXXXXX)
Received: (from www@localhost)
by webmail.iis.sinica.edu.tw (8.13.8/8.13.8/Submit) id o8GFVqI2099683
for XXXXXXXXXXXXXXXX; Thu, 16 Sep 2010 23:31:52 +0800 (CST)
(envelope-from XXXXXXXXXXXXXXX)
X-Authentication-Warning: webmail.iis.sinica.edu.tw: www set sender to XXXXXXXXXXXXXX using -f
Received: from mail.confinewags.com (mail.confinewags.com [204.45.63.6]) by
webmail.iis.sinica.edu.tw (Horde MIME library) with HTTP; Thu, 16 Sep 2010
23:31:52 +0800
Message-ID: <20100916233152.w71ipg6umo8sscgg@webmail.iis.sinica.edu.tw>
Date: Thu, 16 Sep 2010 23:31:52 +0800
From: XXXXXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXX
Subject: INTEREST & FOREIGN EXCHANGE RATES
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_5ad2cgdiu1d4"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-6.2
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (iismx.iis.sinica.edu.tw [192.168.0.49]); Thu, 16 Sep 2010 23:34:52 +0800 (CST)
X-Scanned-By: MIMEDefang 2.67 on 192.168.0.49
Message Received from
204.45.63.6Hostname: mail.confinewags.com
ISP: FDCservers.net
Organization: FDCservers.net
Type: Corporate
Assignment: Static IP
Country: United States
State/Region: California
City: Newark
140.109.20.49
General IP Information
Hostname: iismx.iis.sinica.edu.tw
ISP: Academia Sinica
Organization: Academia Sinica
Type: Broadband
Assignment: Static IP
Country: Taiwan
State/Region: T'ai-pei
File name:
http://www.virustotal.com/file-scan/report.html?id=daac83fc4af5c53068c4e5a29dadfdc5200e3b3fc2b491eebe0a4bc19ec9e3f2-1285731514
CVE-2010-2883_PDF_2010-09-INTEREST_&_FOREIGN_EXCHANGE_RATES.pdf=
22/ 43 (51.2%)
Avast 4.8.1351.0 2010.09.28 PDF:CVE-2010-2883
Avast5 5.0.594.0 2010.09.28 PDF:CVE-2010-2883
AVG 9.0.0.851 2010.09.28 Exploit_c.KAH
BitDefender 7.2 2010.09.29 Exploit.PDF-TTF.Gen
Emsisoft 5.0.0.50 2010.09.29 Exploit.Win32.CVE-2010-2883!IK
eTrust-Vet 36.1.7881 2010.09.28 PDF/CVE-2010-2883.A!exploit
F-Secure 9.0.15370.0 2010.09.29 Exploit.PDF-TTF.Gen
Fortinet 4.1.143.0 2010.09.28 PDF/CoolType!exploit.CVE20102883
GData 21 2010.09.29 Exploit.PDF-TTF.Gen
Ikarus T3.1.1.90.0 2010.09.29 Exploit.Win32.CVE-2010-2883
Kaspersky 7.0.0.125 2010.09.29 Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition 2010.1C 2010.09.28 Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft 1.6201 2010.09.28 Exploit:Win32/Pdfjsc.HX
NOD32 5487 2010.09.28 PDF/Exploit.Gen
Norman 6.06.06 2010.09.28 PDF/Suspicious.D
nProtect 2010-09-28.01 2010.09.28 Exploit.PDF-Name.Gen
Panda 10.0.2.7 2010.09.28 Exploit/PDF.Exploit
PCTools 7.0.3.5 2010.09.28 HeurEngine.MaliciousExploit
Sophos 4.58.0 2010.09.29 Troj/PDFEx-DW
Symantec 20101.1.1.7 2010.09.29 Bloodhound.Exploit.357
TrendMicro-HouseCall 9.120.0.1004 2010.09.29 -
VBA32 3.12.14.1 2010.09.27 Exploit.Win32.CVE-2010-2883.a
ViRobot 2010.8.31.4017 2010.09.28 Backdoor.Win32.S.Agent.289515
MD5 : 4ef704239fa63d1c1dfcf2ea2da0d711
The file code appears to be borrowed from Metasploit
Created files
#1
%tmp%\setup.exe
http://anubis.iseclab.org/?action=result&task_id=14495366b24a64d242d1946aa1e3a88be&format=html
File: setup.exe
MD5: 95d42d365489a6e5ebdf62565c5c8aa2
Size: 139264
File name: setup.exe
Submission date: 2010-09-29 04:41:41 (UTC)
Result: 19/ 43 (44.2%)
AhnLab-V3 2010.09.29.00 2010.09.28 Trojan/Win32.Gen
AVG 9.0.0.851 2010.09.28 unknown virus Win32/DH.BA
BitDefender 7.2 2010.09.29 Trojan.Generic.4780118
DrWeb 5.0.2.03300 2010.09.28 Trojan.Inject.10568
Emsisoft 5.0.0.50 2010.09.29 Trojan.Win32.Agent.fext!A2
F-Secure 9.0.15370.0 2010.09.29 Trojan.Generic.4780118
GData 21 2010.09.29 Trojan.Generic.4780118
Kaspersky 7.0.0.125 2010.09.29 Trojan.Win32.Agent.fext
McAfee 5.400.0.1158 2010.09.29 Artemis!95D42D365489
McAfee-GW-Edition 2010.1C 2010.09.28 Artemis!95D42D365489
Norman 6.06.06 2010.09.28 W32/Malware
nProtect 2010-09-28.01 2010.09.29 Trojan/W32.Agent.139264.RP
Panda 10.0.2.7 2010.09.28 Trj/CI.A
PCTools 7.0.3.5 2010.09.28 Trojan.Gen
Sophos 4.58.0 2010.09.29 Mal/Ovoxual-A
Sunbelt 6943 2010.09.29 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.09.29 Trojan.Gen
TrendMicro 9.120.0.1004 2010.09.29 TROJ_GEN.R47C3IR
TrendMicro-HouseCall 9.120.0.1004 2010.09.29 TROJ_GEN.R47C3IR
MD5 : 95d42d365489a6e5ebdf62565c5c8aa2
Mal/Ovoxual-A
Mal/Ovoxual-A is a malicious executable file.
Mal/Ovoxual-A often drops the following files:
\FAVORITES.DAT (clean data file)
\msupdater.exe (usually detected as Mal/Ovoxual-B).
Mal/Ovoxual-A may also then set the following registry entry to run msupdater.exe automatically:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\msupdater.exe"
Mal/Ovoxual-A may also then set the following registry entry to run msupdater.exe automatically:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "
#2
http://anubis.iseclab.org/?action=result&task_id=1e84f89b1e5b8fe04ad889cf45d8dbb88
File: msupdater.exe
MD5: 374075ce8b6e8f0cd1f90009fd5a703b
Size: 49152
File name: msupdater.exe
Submission date: 2010-09-29 04:58:03 (UTC)
http://www.virustotal.com/file-scan/report.html?id=043935374ce39637a4816d0a484d30bed1d3054bbe89625fbc22f83ef4cb3e04-1285736283
Result: 25/ 43 (58.1%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.29.00 2010.09.28 Trojan/Win32.Agent
AntiVir 7.10.12.61 2010.09.28 TR/Agent.fext
Antiy-AVL 2.0.3.7 2010.09.29 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2010.09.28 Win32:Malware-gen
Avast5 5.0.594.0 2010.09.28 Win32:Malware-gen
AVG 9.0.0.851 2010.09.28 Agent2.AXTO
BitDefender 7.2 2010.09.29 Trojan.Generic.4762825
DrWeb 5.0.2.03300 2010.09.28 Trojan.Starter.1222
Emsisoft 5.0.0.50 2010.09.29 Trojan.Agent2!IK
F-Secure 9.0.15370.0 2010.09.29 Trojan.Generic.4762825
GData 21 2010.09.29 Trojan.Generic.4762825
Ikarus T3.1.1.90.0 2010.09.29 Trojan.Agent2
Kaspersky 7.0.0.125 2010.09.29 Trojan.Win32.Agent.fext
McAfee 5.400.0.1158 2010.09.29 Generic.dx!two
McAfee-GW-Edition 2010.1C 2010.09.28 Generic.dx!two
Norman 6.06.06 2010.09.28 W32/Backdoor!gens.19256608
nProtect 2010-09-28.01 2010.09.29 Trojan/W32.Agent.49152.AMN
Panda 10.0.2.7 2010.09.28 Trj/CI.A
PCTools 7.0.3.5 2010.09.28 Trojan.Gen
Sophos 4.58.0 2010.09.29 Mal/Ovoxual-B
Sunbelt 6943 2010.09.29 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.09.29 -
Symantec 20101.1.1.7 2010.09.29 Trojan.Gen
TrendMicro 9.120.0.1004 2010.09.29 TROJ_GEN.R47C4IM
TrendMicro-HouseCall 9.120.0.1004 2010.09.29 TROJ_GEN.R47C4IM
MD5 : 374075ce8b6e8f0cd1f90009fd5a703b
same location as the pdf
File: iso88591
MD5: 18b0a39b7f9329e12d2b5893d4177053
Size: 65536
TCP connections to 140.112.19.195
140.112.19.195:80Hostname: ipserver.ee.ntu.edu.tw
ISP: National Taiwan University
Organization: National Taiwan University
Assignment: Static IP
Country: Taiwan tw flag
State/Region:
City: Taipei
National Taiwan University are aware of the problem on 140.112.19.195
msupdate.exe / favorites.dat Analysis
No comments:
Post a Comment