Common Vulnerabilities and Exposures (CVE)number
CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Just a quick post without any analysis. Have fun.
General File Information
File CTF 2011 (MF).xls or BBC Monitoring report
MD5 b4c83c1bfa52e8606ddc306625938c21
File size : 65559 bytes
Type: XLS
Distribution: Email Attachment
Download
Original Message
Sent: Friday, March 25, 2011 5:26 AM
Subject: Fw: LES Request
Good morning,
Please find attached the LES's you requested.
Thank you and have a good day,
Christina Donald
Contractor, MPSC Systems Analyst ARNG Financial Services Center NGB -ARC-F
ATTN: NGB-ARC-F (Column 118D)
Finance Support Team Indianapolis
1-877-ARNGPAY (1-877-276-4729)
FAX CML 317-510-7017
EMAIL 2 Libya crisis
From: Brandy R
[mailto:bran343@yahoo.com]
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis
FYI.
Message Headers
EMAIL 1 Fw: LES RequestReceived: (qmail 5543 invoked from network); 25 Mar 2011 09:26:12 -0000
Received: from web120112.mail.ne1.yahoo.com (HELO web120112.mail.ne1.yahoo.com) (98.138.85.159)
by XXXXXXXXXXXXXXXXXXwith SMTP; 25 Mar 2011 09:26:12 -0000
Received: (qmail 27995 invoked by uid 60001); 25 Mar 2011 09:26:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301045172; bh=Q62Ncyt0FmiR48qzSD2tYeVDQS315MhWUx3E6d4ifJE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=X2I4ntxH/Fnul07T0st7CxQxfEX5Z6WewIv4veR5FX6ZKDioiQCxxLmvlFR/nRcScQgUWImSHirG2jMFJDig3Lp3urcsL1nRW14a0uo6cLySG+0KGvUxErwQfOPanoimt6cFe3T4wb+/gZLHKp7rpdEp2FCupPEYs+Dy4QkIbLg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=yEOAl0r6EEbTisJcFejV8CFR38jDRwyX/JEMmQCtD0C//+gadqMg1lSADpI8/KQieDqj5/U50GVuY26xGBA3XB0LstVa88F9ib1UiB53eLB9+7+5iye3vJa3TlZHOvw56KMsD93wp4OUnn9KWGQEyEvsXyzV5ilQK9KmjdCW0x0=;
Message-ID: <126300.8410.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: OFUzx_AVM1n91t0zEacsTpDPyCacKf2bDHKoqB6Vn3hPfTd
IqUqiUZjNAJvjU.tBh7Y08mchb1DO6XwlWqlesWY6RC1xTnjPd16nUJfGWwR
Tuc9T.IQ3FpvpU0JBRq_l6KbOgoSsEVKnJmkkbrAZiNnN2Rt.4Ly9h4H.ZWP
LLFpLCn_yKWiQmmaTUXHNS4JTcJ_rU3VnM5Df3CT1HA8Y_nrHrMhWI5m3F46
tFQJvqGN0cORcXWmMhaQf8Rpikw7BY1uTWAd5S8Akf..VeQyvCrFedOPa3iV
cdC9kTJYEuZj4.x_6wdAcgem9V0AD8K4pXrMprRdlC.cjzCoFPIXgJQyzTcQ
IDMF3DDktcbnLDERPCsU3RgeXtQJZWVwwcqzu3NOxiOmt3IBYaVSUsUKl
Received: from [117.88.250.185] by web120112.mail.ne1.yahoo.com via HTTP; Fri, 25 Mar 2011 02:26:11 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Fri, 25 Mar 2011 02:26:11 -0700
From: Brandy R
Subject: Fw: LES Request
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-422978493-1301045171=:8410"
EMAIL 2 Libya crisis
Received: (qmail 31482 invoked from network); 28 Mar 2011 13:33:54 -0000
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
_KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
_KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"
Sender
Sender EMAIL 2 Fw: LES Request117.88.250.185Hostname: 185.250.88.117.broad.nj.js.dynamic.163data.com.cn
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
Sender EMAIL 1 Libya crisis
117.88.171.49
Hostname: 49.171.88.117.broad.nj.js.dynamic.163data.com.cn
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
City: Nanjing
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
City: Nanjing
Automated Scans
File name:CTF 2011 (MF).xls
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301454466
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV 0.96.4.0 2011.03.30 BC.XLS.Exploit.CVE_2009_3129
Jiangmin 13.0.900 2011.03.29 Heur:Exploit.CVE-2009-3129
McAfee 5.400.0.1158 2011.03.30 Exploit-MSExcel.u
McAfee-GW-Edition 2010.1C 2011.03.29 Exploit-MSExcel.u
Microsoft 1.6702 2011.03.30 Exploit:Win32/CVE-2009-3129
Sophos 4.64.0 2011.03.30 Troj/DocDrop-S
MD5 : b4c83c1bfa52e8606ddc306625938c21
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV 0.96.4.0 2011.03.30 BC.XLS.Exploit.CVE_2009_3129
Jiangmin 13.0.900 2011.03.29 Heur:Exploit.CVE-2009-3129
McAfee 5.400.0.1158 2011.03.30 Exploit-MSExcel.u
McAfee-GW-Edition 2010.1C 2011.03.29 Exploit-MSExcel.u
Microsoft 1.6702 2011.03.30 Exploit:Win32/CVE-2009-3129
Sophos 4.64.0 2011.03.30 Troj/DocDrop-S
MD5 : b4c83c1bfa52e8606ddc306625938c21
SAME MD5 http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301338109 File name:BBC Monitoring reports..xls Submission date:2011-03-28 18:48:29 (UTC) Result:6 /43 (14.0%) |
No comments:
Post a Comment