Friday, June 24, 2011

Jun 17 SCR (RTLO) South China Sea Territorial Disputes Study Update with Taidoor

Exploit Information

More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

  General File Information

File Type: scr
MD5 of archive 40A0EDE3656CD6E4D77B05175A8978FE
Distribution: email attachment
Malware: Taidoor / Rubinurd

Right to Left override in action
1) unzipped attachment on Windows with "Hide extensions for known file types" option UNCHECKED 


2) unzipped attachment on Windows with "Hide extensions for known file types" option CHECKED (more common user option)


Original Message

From: []
Sent: Friday, June 17, 2011 8:28 AM
Subject: South China Sea Territorial Disputes Study Update

Message Headers

Received: (qmail 15729 invoked from network); 17 Jun 2011 00:16:48 -0000
Received: from (HELO (
  by xxxxxxxxxxxx with SMTP; 17 Jun 2011 00:16:48 -0000
Received: from appserver1 ( [] (may be forged))
    (authenticated bits=0)
    by (8.14.2/8.14.2) with ESMTP id p5H0GjUp020385
    for xxxxxxxxxx; Fri, 17 Jun 2011 08:16:47 +0800 (CST)
Message-ID: <>
Subject: South China Sea Territorial Disputes Study Update
Date: Fri, 17 Jun 2011 08:28:02 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.2001
From: ""
X-Mailer: JetMail 1.00


(originating IP / sending server IP)            - - HINET ADDRESS
Host reachable, 267 ms. average

Automated Scans

 South China Sea Territorial Disputes_txt.scr
Submission date: 2011-06-24 02:53:58 (UTC)
Result: 20 /42 (47.6%)
AntiVir 2011.06.24 TR/Spy.88093.1
Antiy-AVL 2011.06.23 Trojan/Win32.Sasfis.gen
AVG 2011.06.23 Generic22.CBLL
BitDefender 7.2 2011.06.24 Gen:Trojan.Heur.eqY@yvLalFaOf
Commtouch 2011.06.24 W32/Trojan-Gypikon-based.BA!Maximus
eTrust-Vet 36.1.8403 2011.06.23 Win32/Fakedoc_i
F-Prot 2011.06.23 W32/Trojan-Gypikon-based.BA!Maximus
F-Secure 9.0.16440.0 2011.06.24 Gen:Trojan.Heur.eqY@yvLalFaOf
GData 22 2011.06.24 Gen:Trojan.Heur.eqY@yvLalFaOf
Jiangmin 13.0.900 2011.06.23 Trojan/Sasfis.qki
K7AntiVirus 9.106.4837 2011.06.23 Trojan
McAfee-GW-Edition 2010.1D 2011.06.24 Heuristic.LooksLike.Win32.Suspicious.J
Microsoft 1.7000 2011.06.23 VirTool:Win32/Injector.gen!BJ
NOD32 6234 2011.06.24 probably a variant of Win32/TrojanDropper.Agent.NM
PCTools 2011.06.23 Trojan.Gen
Sophos 4.66.0 2011.06.24 Troj/Mdrop-DMI
Symantec 20111.1.0.186 2011.06.24 Trojan.Gen
TheHacker 2011.06.23 Trojan/Sasfis.bkwo
VBA32 2011.06.23 Trojan.Sasfis.blce
VirusBuster 2011.06.23 Trojan.Agent!07xHu47lXUs
Additional informationShow all  
MD5   : 1c33fd879fa9690490f07c26d92724e3


GET /nzcgf.php?id=0302371911380616G0 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
This is actually a name server and it is known to be spread malware Microsoft TrojanDownloader:Win32/Buzus.C and point to,,,, and at least seven other hosts use this as a name server
 These are hosts using it as a name server -
CNET Communications
Updated: 16-Jul-2008

Server returns "Bad Request"

No comments:

Post a Comment