CVE-2010-3654 Adobe Flash player zero day vulnerability

Common Vulnerabilities and Exposures (CVE)number

 

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

  General File Information

File Name: News Release.pdf
MD5  411406d5ace2201e5dd73ce8e696b03b
SHA1  : 92e03aa29715951061d8dd17ea59221fc8ea1d65
File size : 241679 bytes
Type:  PDF
Distribution: Email attachment

read more...

Oct 24 CVE-2010-2883 PDF Vision Poll Center from ynnchang@gmail.com

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information

Download 20101024S01AL01PR1R.pdf as a password protected archive (contact me if you need the password)


From: 遠見民調中心 張雅琳 [mailto:ynnchang@gmail.com]
Sent: Sunday, October 24, 2010 11:51 PM
To: ynnchang@gmail.com
Subject: 遠見民調中心_台灣民心指數調查結果

    遠見民調中心 設計與執行
    台灣民心指數( Taiwan Public Mood Index, TPMI )
    2010年10月調查結果
         --------------------------------------------------------
                 遠見民調中心  張雅琳
           Global Views Survey Research Center
              104 台北市松江路93巷1號
               行動：0916-828-482
               電話：02-2517-3688分機638
               專線：02-2517-8537
               傳真：02-2517-6275

Chinese to English translation

From: Vision polling centers Zhang Yalin [mailto: ynnchang@gmail.com]Sent: Sunday, October 24, 2010 11:51 PMTo: ynnchang@gmail.comSubject: Vision polling center _ the findings of the Taiwan people index

    Survey Center design and implementation of the vision
    Taiwan Public Mood Index (Taiwan Public Mood Index, TPMI)
    October 2010 survey results
         -------------------------------------------------- ------
                 Vision polls Center Zhang Yalin
           Global Views Survey Research Center
              Lane 93, Sung Chiang Road, Taipei 104, No. 1
               Action :0916 -828-482
               Tel :02 -2517-3688 ext 638
               Line :02 -2517-8537
               Fax :02 -2517-6275

 


File name:20101024S01AL01PR1R.pdf
http://www.virustotal.com/file-scan/report.html?id=0a45313368c6437fa419d034e0bdb6ca5eb6ca4359c607d90d1027ec7a6bfda8-1288175111
Submission date:2010-10-27 10:25:11 (UTC)
15/ 41 (36.6%)
AntiVir    7.10.13.47    2010.10.27    HTML/Malicious.PDF.Gen
Avast    4.8.1351.0    2010.10.27    PDF:CVE-2010-2883
Avast5    5.0.594.0    2010.10.27    PDF:CVE-2010-2883
AVG    9.0.0.851    2010.10.27    Exploit_c.KGX
BitDefender    7.2    2010.10.27    Exploit.PDF-TTF.Gen
Comodo    6526    2010.10.27    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.10.27    Exploit.PDF.1641
F-Secure    9.0.16160.0    2010.10.27    Exploit.PDF-TTF.Gen
Fortinet    4.2.249.0    2010.10.27    PDF/CoolType!exploit.CVE20102883
GData    21    2010.10.27    Exploit.PDF-TTF.Gen
Ikarus    T3.1.1.90.0    2010.10.27    Exploit.Win32.CVE-2010-2883
Microsoft    1.6301    2010.10.27    Exploit:Win32/CVE-2010-2883.A
PCTools    7.0.3.5    2010.10.27    HeurEngine.MaliciousExploit
Sophos    4.58.0    2010.10.27    Troj/PDFJs-NA
Symantec    20101.2.0.161    2010.10.27    Bloodhound.Exploit.357
Additional information
Show all
MD5   : 1618d09ff580014b251794222bb0f0f9

Inception (via @reversemode)

:) thanks to @reversemode

Oct 08 CVE-2010-2883 PDF Nuclear Challenges and Responses in the Century from JUN.Bong-Geun@ifans.go.kr

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. 

Download Conference Information_2010 IFANS Conference on Global Affairs (1001)  as a password protected archive (contact me if you need the password)

----Original Message-----
From: JUN.Bong-Geun@ifans.go.kr [mailto:JUN.Bong-Geun@ifans.go.kr]
Sent: Friday, October 08, 2010 1:43 PM
Subject: Nuclear Challenges and Responses in the Century

Dear all

We inform you of an event and expect your kindly opinions.
On October 4th-5th 2010, the  IFANS Conference on Global Affairs in 2010, "Nuclear Challenges and Responses in the  Century" is hosted by the Institute of Foreign Affairs and National Security (IFANS) and the Presidential Council for Future and Vision (PCFV), and is organized by the Institute of Foreign Affairs and National Security (IFANS),ROK.

At the conference,in-depth discussion is expected among international and Korean experts and turn-out policy recommendations in terms of three subjects.
The sessions and programs were attached to a file "Conference Information.pdf".

Headers

Received: (qmail 13720 invoked from network); 8 Oct 2010 01:43:34 -0000
Received: from mail.tekkan.com (HELO mail.tekkan.com) (164.46.125.50)
  by XXXXXXXXXXXXXXXXX; 8 Oct 2010 01:43:34 -0000
Received: from mofat-p6463dmel ([221.9.247.17])
    by mail.tekkan.com (8.12.11.20060829/8.11.3) with SMTP id o981guo7022508;
    Fri, 8 Oct 2010 10:42:59 +0900
Message-ID: <201010080142.o981guo7022508@mail.tekkan.com>
From: JUN.Bong-Geun@ifans.go.kr
To:
Subject: Nuclear Challenges and Responses in the  Century
Date: Fri, 8 Oct 2010 10:43:08 -0700
X-Mailer: CSMTPConnection v2.17
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="ad7e60eb-fca5-415b-9c56-9d74439519e2"
Content-Transfer-Encoding: quoted-printable

Hostname:    221.9.247.17
ISP:    China Unicom Jilin province network
Organization:    China Unicom Jilin province network
Assignment:    Static IP
 Country:    China 
State/Region:    Jilin
City:    Changchun



 Virustotal
http://www.virustotal.com/file-scan/report.html?id=0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972-1287057726
File name:Conference Information_2010 IFANS Conference on Global Af[...].pdf
Submission date:2010-10-14 12:02:06 (UTC)
Current status:
14/ 43 (32.6%)
Avast    4.8.1351.0    2010.10.14    PDF:CVE-2010-2883
Avast5    5.0.594.0    2010.10.14    PDF:CVE-2010-2883
AVG    9.0.0.851    2010.10.14    Exploit_c.LMW
BitDefender    7.2    2010.10.14    Exploit.PDF-TTF.Gen
Comodo    6388    2010.10.14    UnclassifiedMalware
F-Secure    9.0.16160.0    2010.10.14    Exploit.PDF-TTF.Gen
GData    21    2010.10.14    Exploit.PDF-TTF.Gen
Kaspersky    7.0.0.125    2010.10.14    Exploit.Win32.CVE-2010-2883.a
NOD32    5530    2010.10.14    JS/Exploit.Shellcode.A.gen
Norman    6.06.07    2010.10.14    HTML/Shellcode.Q
nProtect    2010-10-14.01    2010.10.14    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.10.14    Trojan.Pidief
Sophos    4.58.0    2010.10.14    Mal/JSShell-B
Symantec    20101.2.0.161    2010.10.14    Trojan.Pidief
Additional information
Show all
MD5   : 3abfe5fd78ffddebf23bd46edf4e4eb7

Created files

C:\windows\system32\syschk.ocx
File name: syschk.ocx
MD5   : 16ba21c1eac48eb20c04ac91ef9c2bd1
Submission date: 2010-10-16 04:33:16 (UTC)
Result: 0/ 43 (0.0%)

Strings (yes, C:\Documents and Settings\Mila\Desktop\Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf" is not a accidental paste, it is in the file = inserted path from the original location of the pdf.File: syschk.ocx MD5: 16ba21c1eac48eb20c04ac91ef9c2bd1 Size: 159744 Ascii Strings: --------------------------------------------------------------------------- !This program cannot be run in DOS mode. Rich .text `.rdata @.data .rsrc @.reloc L$ R t$(t L$(V PVQRh L$$P L$8h vU;l$,wO t$0j l$$; s|SU Jt;Ju>j L$(P3 PVj!R T$(QR _^][ _^]3 D$ RP _^][ t;Ht IQhd SUVW T$ j _^][ IQhd _^]3 D$ @ _^][ SUVW T$$Q _^]3 D$P3 |$QU |$Th L$XQ T$TQRP _^]3 |$,P D$4P T$4RP D$<( D$0j PUQR _^]3 _^]3 L$$W t2VW IQhh IQhh _^[Y t-E; L$ Q D$ + _^][Y _^][Y _^][Y D$$f L$(f }#EA <(>u T$(j _^]2 L$ j D$<_^] l$<C T$<_^] Ht#Hu PQUf SUV3 _^][ SQhH SRh8 SPh0 D$ RP A<;u SUVW |$ ; _^][ DSVWh0 L$dPj0Q Rj1P Qj2R Pj3Q Rj4P T$ Qj5R L$$Pj6Q D$(Rj7P T$,Qj8R L$0Pj9Q D$4RjAP T$8QjBR L$<PjCQ D$@RjDP T$DQjER L$HPjFQ _^[d >MZt ^JGQ QRWV ^_ZY QRWV ^_ZY wkernel32.dll \syschk.ocx shell32.dll ;|$(u ShnY u,Sh SUVW |$ ; _^][ QSUVW >"u< <0"t <0"t L$$S <(\t <(\t ^][_ SUVW |$0h L$$Pj T$(h L$(j T$,QR _^]3 `SVW3 PVVj T$<j D$ j L$ R VUSQ _^[d SUVW L$$j D$4j D$ hh _^][ _^][ QSVW` SVWh` D$,j L$4PQSR L$0j D$0j D$@h L$LQ IQh\ D$@h L$Hh T$,h D$4P D$$j L$0PQSR L$,j D$,j UVW3 L$,h D$,P L$,QR D$,RPSSQ D$#j T$ R \$ E; D$(h L$(PQSSR |$(P L$0P T$8QRUP T$(QPPP D$(RP D$ R L$4j _^[] Vu{j t[VWS ds4V UQRP QVh` VUUUW G<4r ][_^ SUVW VUUU _^][ _^][ VUUU VUUU N<"t L$(Qj l$$j D$$+ T$(R _^]d L$ Q T$0j L$<+ D$,j L$8j D$$RPj L$xh` T$xQUR L$$PQj t4hx D$xh` L$xh` L$xh T$xh L$(R L$0PQQQQQ L$LQ D$\D _^][d SVWP D$Hj L$Tj D$# IQh\ T$'j D$&f SVW3 _^[d uiSV3 ?j\W X_^] x,.u ;(rU VPVj0 s$_r QSVW QQSVWd 4SVW PhYY X_^[] SVWUj ]_^[ t.;t$$t( tzVS GIt% t/Ku t-9] _^[] SUVW _^][ SVWu _^[] VC20XC00U SVWU tEVU t3x< ]_^[ QSVW QSVW t7)E D$ P t$ V NWVS u7WPS u&WVS _^[] Ww!j _^[] _9=,. YY_[] tD+E uRFGHt Yt)W3 SVWj j@Y3 Wj@Y3 t7SW @AA; 8csm u,9x X_^] ub9~ YY_^[ QQVW sO;>|C;~ u Vj 8csm u SW _^[] ?csm 8csm YYPW QQSVW t:jtj Yt)V u?jtj Yt&V FP= QQSVW 9p`t QQSVW _WPS HHtpHHtl RPWV u>Wj t&:a Yu!j t%WV SVW3 ~&WP SVWj tYPV YYF;5 t%WV QQSV btHHt. SVWj u!PV YYF;5 X_[^ t%WV wBVSP _^[] HSVWh t9UW ?=t"U QQS3 PSSW 8"uD 8"uF@ 8"u, @@f9 @@f9 SS@SSPVSS t#SSUP t$$VSS _^][YY j?I_ ulSj uY;] pD#U j #M j?^; X_^[ ^_[3 PPPPPPPP uFWWj "WWSh4 9} u E WW tMWWS t@9} VSh ^[_3 PPPPPPPP PPPPPPPP PVh4 u";E u+Vj 8csm QQSVWj PSj? PSj? >:uNFV >:u#FV Y_^[ SVW3 Qf9= WQPWS ,f9=\0 WWWj WWSj WWWj _^[] QQSUVWj _^][YY VWsr 1t*; VWuBh\ tPh@ <8=u SVWu ^}%95 HSVHWtgHHtF NTuI H}Fj QSUV WWWWj t/WWUPj _^][Y SVWt _^[] FGQPS 0SVW _u@W PWPSS PWPSS 9] u tySS t-VW QQSVW3 tUj= t@9u uT9} 8<=t ^][_ tJSWV u/9F j@jP hWj@_; PPhj Pl_^ tWS3 QSUVWj n0SSSSU _SSSSU Ph_^][Y 9Q\u 9y`u ;qdt V9l$ VVUVS _^][ SUVW UUWP _^][Y !hOe tuHHt tD9_Pt? 9X tn w]hOe ~0PPW E SVj (wqt\HHtS tFHt> t>Ht Ht u<9E _^[] t59~ u09=h- 9=h- QQSVW QQSV 4SVW VhOe tBSh X_^[ @SVW btZ- VWhOe VhOe 9p$u ,SVW t39w 9w u ^$tL t7j, tMVW >(r- u@hOe 9HPu u,;C _^[d <VWj VwltB r0=8 97_u SVW3 ^[+E F _^ tBSh tBSh tBSh F ^d SVW3 SShv _^][ _^[d ;Nxu _j X; QQUV _^]YY QSVW t#;^ QQSVW 9^xu2 Vu4j u5SVW uTVW PWVWWW WVWWW QQV3 j@j< SUVW ^,_^][ CWinApp PreviewPages Settings CFileFind file:// CWinThread CCmdTarget .INI .HLP CNotSupportedException CMemoryException CException combobox software CObject CTempGdiObject CTempDC CGdiObject CUserException CResourceException CTempWnd CWnd AfxOldWndProc423 AfxWnd42s AfxControlBar42s AfxMDIFrame42s AfxFrameOrView42s AfxOleControl42s GetMonitorInfoA EnumDisplayMonitors MonitorFromPoint MonitorFromRect MonitorFromWindow GetSystemMetrics USER32 DISPLAY commctrl_DragListMsg InitCommonControlsEx COMCTL32.DLL CMapPtrToPtr CTempMenu CMenu H:mm:ss dddd, MMMM dd, yyyy M/d/yy December November October September August July June April March February January Saturday Friday Thursday Wednesday Tuesday Monday Sunday (8PX 700WP `h```` ppxxxx (null) runtime error TLOSS error SING error DOMAIN error R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough spac e for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data abnormal program termination R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: <program name unknown> SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec GetLastActivePopup GetActiveWindow MessageBoxA user32.dll CloseHandle ReadFile GetFileSize CreateFileA LocalAlloc LocalFree GetLastError UnmapViewOfFile MapViewOfFile CreateFileMappingA SetFileAttributesA FreeLibrary GetProcAddress LoadLibraryA OpenProcess HeapFree HeapAlloc GetProcessHeap MultiByteToWideChar GetFullPathNameA DeleteFileA Sleep GlobalUnlock GlobalLock TerminateProcess GetCurrentProcess CreateProcessA GetSystemDirectoryA InterlockedIncrement InterlockedDecrement lstrlenA WideCharToMultiByte GetCurrentThreadId GetCurrentThread lstrcmpiA lstrcmpA GlobalDeleteAtom GlobalAlloc FindClose SetLastError FindFirstFileA lstrcpyA FindNextFileA GetModuleFileNameA InitializeCriticalSection TlsAlloc DeleteCriticalSection GlobalFree GlobalHandle TlsFree LeaveCriticalSection GlobalReAlloc EnterCriticalSection TlsSetValue LocalReAlloc TlsGetValue SetErrorMode lstrcatA lstrcpynA GetVersion GlobalFlags WritePrivateProfileStringA GetCurrentDirectoryA GetModuleHandleA FileTimeToSystemTime FileTimeToLocalFileTime GlobalFindAtomA GlobalAddAtomA GlobalGetAtomNameA GetProcessVersion WriteFile FilePointer FlushFileBuffers SetEndOfFile GetCPInfo GetOEMCP RtlUnwind GetTimeZoneInformation GetSystemTime GetLocalTime GetCommandLineA ExitProcess RaiseException HeapSize HeapReAlloc GetACP SetHandleCount GetStdHandle GetFileType GetStartupInfoA FreeEnvironmentStringsA FreeEnvironmentStringsW GetEnvironmentStrings GetEnvironmentStringsW HeapDestroy HeapCreate VirtualFree VirtualAlloc IsBadWritePtr LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW GetDriveTypeA SetUnhandledExceptionFilter IsBadReadPtr IsBadCodePtr SetStdHandle CompareStringA CompareStringW SetEnvironmentVariableA KERNEL32.dll CallNextHookEx CloseClipboard GetClipboardData OpenClipboard IsClipboardFormatAvailable SetWindowsHookExA PostQuitMessage PostMessageA SendMessageA SetCursor EnableWindow MessageBoxA GetWindowLongA IsWindowEnabled GetLastActivePopup GetParent GetCursorPos PeekMessageA IsWindowVisible ValidateRect GetKeyState GetActiveWindow DispatchMessageA TranslateMessage GetMessageA GetNextDlgTabItem GetFocus EnableMenuItem CheckMenuItem SetMenuItemBitmaps ModifyMenuA GetMenuState LoadBitmapA GetMenuCheckMarkDimensions UnhookWindowsHookEx UnregisterClassA LoadStringA GetClassNameA PtInRect GetWindowRect GetDlgCtrlID GetWindow ClientToScreen SetWindowTextA GetWindowTextA wsprintfA GetMenuItemCount GetDC ReleaseDC TabbedTextOutA DrawTextA GrayStringA GetDlgItem SetWindowLongA SetWindowPos ShowWindow SetFocus GetSystemMetrics GetWindowPlacement IsIconic SystemParametersInfoA RegisterWindowMessageA SetForegroundWindow GetForegroundWindow GetMessagePos GetMessageTime RemovePropA CallWindowProcA GetPropA SetPropA GetClassLongA CreateWindowExA DestroyWindow DefWindowProcA GetMenuItemID GetSubMenu GetMenu RegisterClassA GetClassInfoA WinHelpA GetCapture GetTopWindow CopyRect GetClientRect AdjustWindowRectEx GetSysColor MapWindowPoints LoadIconA LoadCursorA GetSysColorBrush DestroyMenu USER32.dll CreateBitmap DeleteObject DeleteDC SaveDC RestoreDC SelectObject GetStockObject SetBkColor SetTextColor SetMapMode SetViewportOrgEx OffsetViewportOrgEx SetViewportExtEx ScaleViewportExtEx SetWindowExtEx ScaleWindowExtEx GetClipBox GetDeviceCaps PtVisible RectVisible TextOutA ExtTextOutA Escape GetObjectA GDI32.dll comdlg32.dll ClosePrinter DocumentPropertiesA OpenPrinterA WINSPOOL.DRV RegCloseKey RegQueryValueExA RegOpenKeyExA SetFileSecurityA SetSecurityDescriptorDacl AddAccessAllowedAce GetAce AddAce InitializeAcl GetLengthSid GetAclInformation GetSecurityDescriptorDacl InitializeSecurityDescriptor GetFileSecurityA LookupAccountNameA GetUserNameA RegSetValueExA RegCreateKeyExA RegEnumValueA RegEnumKeyA ADVAPI32.dll SHELL32.dll COMCTL32.dll CoCreateInstance CoInitialize ole32.dll WSOCK32.dll InternetAttemptConnect InternetConnectA InternetOpenA InternetCloseHandle HttpQueryInfoA InternetSetOptionA InternetQueryOptionA HttpSendRequestA HttpAddRequestHeadersA HttpOpenRequestA HttpEndRequestA InternetWriteFile HttpSendRequestExA InternetReadFile ReadUrlCacheEntryStream RetrieveUrlCacheEntryStreamA InternetSetCookieA FindCloseUrlCache DeleteUrlCacheEntry FindNextUrlCacheEntryA FindFirstUrlCacheEntryA InternetGetCookieA WININET.dll syschk.dll CheckDrive SystemCheck --%s Content-Disposition: form-data; name="%s" --%s Content-Disposition: form-data; name="%s"; filename="%s" Content-Type: %s http .PAVCException@@ Accept: */* HTTP/1.0 Content-Type: application/x-www-form-urlencoded POST Content-Length: %d Content-Type: multipart/form-data; boundary=---------------------------7dab371b0124 ---------------------------7dab371b0124 application/octet-stream Content Type https value= name= <INPUT T1266545942618/1266545942618/1266545962717 GMAIL_LOGIN 2000 GMAIL_RTT __utmc 173272373 __utmb name = value; expires = Sat,01-Jan-2000 00:00:00 GMT asts https%3A%2F%2Fmail%2Egoogle%2Ecom%2Fmail%2F%3F continue GALX Passwd Email PersistentCookie ctok cans charset_ utf-8 draft undefined ishtml body subject GMAIL_AT d:\reg0 futurekimkim heike931 fuechei.chang fuechei.chang.drivehq.com/up/ .exe SHGetFolderPathA C:\Program Files SHELL32.DLL %programfiles% EnumProcesses GetModuleBaseNameA EnumProcessModules PSAPI.DLL unknown iexplore.exe Internet Explorer.lnk iexplore internet {871C5380-42A0-1069-A2EA-08002B30309D} favorites SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\ SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\ SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ \Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ \Microsoft\Internet Explorer\Quick Launch\ \Internet Explorer.lnk Anything can go here \iexplore.exe done %s\%s error %s done chrome.exe opera.exe netscp firefox %s%s %s%s\shellopen\command\ productname SOFTWARE\Microsoft\Windows NT\CurrentVersion csdversion SOFTWARE\Microsoft\Internet Explorer version SOFTWARE\classes\local settings\SOFTWARE\Microsoft\Windows\shell\MUICache SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache \adobe\ SOFTWARE\Clients\StartMenuInternet\ SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ http\Shell\open\command Software\Microsoft\Internet Explorer\TypedURLs " Func1 %s\rename.ocx http://%s/rename %s\syschk.ocx1 http://%s%s &cmid=1&rt=h&zx= &view=up&act=sm&jsid= &rid=mail%3Asd.40.2.0&at= https://mail.google.com/mail/?ui=2&ik= Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) @gmail.com GLOBALS= http://www.google.com/ https://mail.google.com/mail/?logout&hl=ko https://www.google.com/accounts/ServiceLoginAuth?service=mail https://mail.google.com/mail/ rundll32.exe " "%s" "%s" JavaScript/JS /FontFile2 .pdf http\Shell\open\command\ syschk.ocx acrobat\Shell\open\command\ Infect NO! Infect OK! form.ocx .?AVCNoTrackObject@@ .?AV_AFX_WIN_STATE@@ .?AVCObject@@ .?AVCCmdTarget@@ .?AVCWinThread@@ .?AVCWinApp@@ .?AVCFileFind@@ .?AV_AFX_CTL3D_STATE@@ .?AV_AFX_CTL3D_THREAD@@ .?AVCCmdUI@@ .?AUCThreadData@@ .?AVCHandleMap@@ .?AV_AFX_THREAD_STATE@@ .?AVAFX_MODULE_STATE@@ .?AVAFX_MODULE_THREAD_STATE@@ .?AV_AFX_BASE_MODULE_STATE@@ .PAX .PAVCObject@@ .PAVCSimpleException@@ .PAVCMemoryException@@ .?AVCException@@ .?AVCSimpleException@@ .?AVCMemoryException@@ .?AVCNotSupportedException@@ .?AVCDC@@ .?AVCGdiObject@@ .?AVCTempDC@@ .?AVCTempGdiObject@@ .?AVCResourceException@@ .?AVCUserException@@ .?AVCWnd@@ .?AVCTestCmdUI@@ .?AVCTempWnd@@ .?AVCMapPtrToPtr@@ .?AVCMenu@@ .?AVCTempMenu@@ .?AVtype_info@@ wwwwww wwwwww wwwwww wwwwww wwwwww wwwwww wwwwww wwwwww wwww wwww 1(1Z1q1 3t3}3 3<4z4 4"5U5c5 8O9|9 :5:C:I: ;n;s;y; =u=z= 6$64696F6e6 7K7z7 8$9*959?9I9Y9c98;A;R;W;^;h;o; <!<W<]<c< =#><> ?#?(?5?:?G?L?Y?^?k?p? 0I0q0 233L3 8(8J8f8 ;*;0;A;G;X;^;o;u;}; ;)</<F>S>`> 0&0.070>0P0 2U3l3 4-4Q4b4 4E5c5 6<6R6f6 6#7B7j7 ;#<F< >-?{? 4(5H5M5 506?6g6 8<9E9T9 :;:O: <A<k< =,=]=u= >'>Z> >3?M? 0(1C1[1s1 2&202j2x2 3'353J3U3]3j3t3 6!6.6;6_6d6 8:8p8v8}8 949W9\9 <(=-=g=l= >F>R>n> F0K0 2 2,2>2V2 3/4t4 5:5N5 5,6i6 6G8W8r8 9&:d:i:p:u:z: 0'1C1 1@2R2 3?3W3g3~3 4'464`4 5,5<5X5|5 6)656B6H6T6Y6c6j6t6{6 707i7 898@8\8q8}8 9$:S: <6>y> >!?[?o? 0"0K0_0 0_5i5 6(6\7g7n7 8"8)888@8K8Q8W8a8y8~8 :;:A: :%;K;e;l;p;t;x;|; ;J<U<p<w<|< = =j=p=t=x=|= 0;0U0\0`0d0h0l0p0t0x0 0:1E1`1g1l1p1t1 2Z2`2d2h2l2 233^3 3 4,434C4I4P4Z4s4{4 425g5 868u8{8 8/9A9P9q9w9 :5:A:K:V:`:j:p: :Z;`;~; <!<-<?<M<\<m< 5&7+7 :":(:5:E:K:S:q:w: :$;<;B;N;S; ;Q<Y< <c=r= 0p184<4@4D4H4L4P4T4$5*525:5B5N5S5_5g5o5w5 6 6&6 8(8D8S8e8n8 <2<E< 2-252F2K2X2]2 3"3<3^3j3u3 6>7D7P7 8 8R8\8}8 9%929S9x9 :':1:E:S:`:e:k: ;Z;=<V< =X=k= >8>D>N>V>^>d>l>{> ?"?d?x? 0!0(01080@0F0Q0Y0 303;3A3F3L3Y3v3|3 7'787>7Q7 7p<u< =+=K= =T>y> m0r0 1&3:3 3$4*464 5<5B5P5V5`5h5n5|5 6#6:6U6q6 777A7L7V7d7 8!8*8;8E8M8U8]8g8p8x8 8.9=9k9v9 :':2:A:R:_:r:x:~: :I;n; <(<:<B<H<P< ='>4>9>F>R> ?<?D? 0;0]0 171B1N1^1 5&545=5J5[5 8!9?9v9 <,<7<B<L<T<_<m< =M>e> >)?3?D?Q? 040p0 1"171J1 4/5>53797T7 8%818L8W8c8y8 9)9@9L9_9n9w9 :/<u< >"?i? M0|0 1&2c2h2 2^3n3 3,4F4f4m4 7U7[7f7 7>8I8 9):`: <"=e= >,>O>v> ?#?)?@?K?X?a?g?~? 0'0c0 1L1^1|1 2 3*404C4N4 666q6}6 6+7L7_7z7 8$8,848N8S8s8.9i9 <Y<r< >$>=> >=?B?q? 6"6&6*6.62666:6>6B6F6J6X6 7(7-7 8,9W9 :H<p<u< =Q>r> ?Y?f?|? $0/050S0 111Y1a1j1u1~1 282Y2y2 4(5.5I5R5q5 516D6\6w6 737G7W7n7 828Q8v8 9F9t9 9::i: >N?\?x? #0d0y0 141Z1{1 3 3&373e3 4a4r4~4 455J5P5 6%7G7r7 7M8V8_8q8w8 9K9c9 9):f: ;+;@;O; <><R< =*=B=c=v= ?5?H? 0$090N0 2&2{2 3!303=3L3R3Y3a3s3z3 4#4E4\4v4 5)555?5V5a5m5 616A6P6j6~6 6"7(747T7x7 8$8/898E8N8W8`8k8s8y8 9-9J9\9k9p9 :,:2:E:^:n:}: :%;-;?;Q; <O<a< <0=I=w= >,>W>l> ?0?d? 0!050J0]0i0 1+1=1S1e1y1 2&2;2N2a2u2 5 5$5(5,5054585<5@5D5H5L5P5`5p5t5 6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6 7 707D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7 8,80848\8`8 9 909P9`9 : :8:D:H:X:d:h: ; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|; < <$<(<,<0<8<D<H<`<l<p< =,=D=\=t= >4>L>d>|> ,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0 0(1,101418 1<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1 2 2,202H2T2X2h2l2p2t2x2|2 4$4(484@4D4P4X4\4 7l8p8x8|8 9,90989P9h9 : :(:,:0:D:T:X:`:x:|: ;,;<;@;H;`;d;|; <$<(<0<H<L<d<t<x< = =8=P=h=l=p=t= >4>D>H>P>h>l> ?$?4?8?@?X?\?`?d?|? 0$04080@0X0\0t0 1,10181P1T1l1|1 2(2D2P2X2 3$3,343<3D3L3T3\3d3l3t3|3 4 4<4H4d4p4 5 5<5D5P5l5t5 6 6<6D6P6l6t6|6 7(7D7P7l7x7 7(848<8H8d8l8x8 9(9D9L9X9t9|9 : :$:(:,:<:H:P: ; ;<;H;d;p; <4<@<H<x< =4=@=\=d=l=x= >4>@>\>h> 0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0t0x0|0 (5,505H5h5 606`6x6 6 7H7X7p7 888P8p8 9(9@9`9x9 ; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p; =$=4=D= 34484 C:\Documents and Settings\Mila\Desktop\Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf Unicode Strings: --------------------------------------------------------------------------- jjjj jjjj jjjj jjjj jjjj jjjj jjjjjj (null) ((((( H VS_VERSION_INFO StringFileInfo 040904B0 CompanyName FileDescription syschk DLL FileVersion 1, 0, 0, 1 InternalName syschk LegalCopyright Copyright (C) 2010 LegalTrademarks OriginalFilename syschk.DLL ProductName syschk Dynamic Link Library ProductVersion 1, 0, 0, 1 VarFileInfo Translation MS Shell Dlg &New Cancel &Help Open Save As All Files (*.*) Untitled an unnamed file &Hide No error message is available.'An unsupported operation was attempted.$A required resource was unavailable. Out of memory. An unknown error has occurred. Invalid filename. Failed to open document. Failed to save document. Save changes to %1? Failed to create empty document. The file is too large to open. Could not start print job. Failed to launch help. Internal application error. Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s. #Unable to read write-only property.#Unable to write read-only property. Unexpected file format.V%1 Cannot find this file. Please verify that the correct path and file name are given. Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1. Please enter an integer. Please enter a number.*Please enter an integer between %1 and %2.(Please enter a number between %1 and %2.(Please enter no more than %1 characters. Please select a button.*Please enter an integer between 0 and 255. Please enter a positive integer. Please enter a date and/or time. Please enter a currency. No error occurred.-An unknown error occurred while accessing %1. %1 was not found. %1 contains an invalid path.=%1 could not be opened because there are too many open files. Access to %1 was denied..An invalid file handle w as associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full. Seek failed on %15A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1. Disk full while accessing %1..An attempt was made to access %1 past its end. No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1. %1 has a bad format."%1 contained an unexpected object. %1 contains an incorrect schema. #Unable to load mail system support. Mail system DLL is invalid.!Send Mail failed to send message. pixels


C:\windows\system32\form.ocx  = same string as it tried to download = see the pcap screenshot below

 File: form.ocx
MD5:  279b3b44fa1ac9e72d030ff42b1b77c6
Size: 15

Ascii Strings:
---------------------------------------------------------------------------
02510c

Unicode Strings:
---------------------------------------------------------------------------

66.220.9.57

Hostname:    www.mbizgroup.biz
ISP:    Hurricane Electric
Organization:    LaFrance Internet Services
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Country:    United States
State/Region:    California
City:    Fremont