These 4 phish message attempt to utilize CVE-2011-1991 type (1) deskpan.dll in the Display Panning CPL Extension. Here is a clear explanation of the deskpan.dll functionality - it is "a module related to the display settings of pictures on your display screen" It is normally located in C:\ windows\ system32\. The phishing messages contain a word document (0/44 on VT) and a dll file called deskpan.dll in one zip or rar archive, which is in fact a Taidoor trojan dll unrelated to the authentic Windows library. This exploit has strict requirements for execution. I have not been able to meet them and get it to work, just like in Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z, it is hard to trigger. A reader sent explanation how his exploit can be triggered - He wrote the following:
CMD.EXE executes vercslid.exe eveytime when a document file (doc/rtf/txt or jpg) is invoked from the command interpreter.
It is important that the name of the current working directory of CMD.EXE is "(something){42071714-76D4-11D1-8B24-00A0C9068FF3}"and the directory contains both a (malicious) deskpan.dll and a (trigger) document file.
Common Vulnerabilities and Exposures (CVE)number
CVE-2011-1991
Windows Components Insecure Library Loading Vulnerability
Description: Multiple untrusted search path vulnerabilities in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .rtf, or .txt file, related to (1) deskpan.dll in the Display Panning CPL Extension, (2) EAPHost Authenticator Service, (3) Folder Redirection, (4) HyperTerminal, (5) the Japanese Input Method Editor (IME), and (6) Microsoft Management Console (MMC), aka "Windows Components Insecure Library Loading Vulnerability."
General File Information
1File: 1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.zip
MD5: 08344dcfe36e304dd858bd709ccff01c
deskpan.dll
MD5 : 027ada87ca5051f0c4108a0346e9b213
1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.doc
MD5 : 027ada87ca5051f0c4108a0346e9b213
----------------------------------------------------------------------------------------
2
File: ATT48239.rar
MD5: 9e51bccbd341e3767caf1b717f84fed5
deskpan.dll
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5 : a67c7842e395dfd82b133c31d1cc83ee
----------------------------------------------------------------------------------------
3
File: ATT79018.rar
MD5: 41bad26335f09835b3fd6a54015e32aa
deskpan.dll
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5 : 9bbdc627e72941c4a7f15aaff1faa934
----------------------------------------------------------------------------------------
4
File: .{42071714-76D4-11D1-8B24-00A0C9068FF3}.rar
MD5: 7a581f612befcb8163270d5c88f01cdf
deskpan.dll
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
doc
MD5 : 13bf854264b79b99b0b5e501c797693c
Download
From: Indonesia Asean [mailto:aseanindonesia@yahoo.com]
Sent: Tuesday, September 20, 2011 7:43 AM
To: xxxxxxxxxx
Subject: Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York
Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 - 6 October 2011 in New York.
A Tentative Programme of the Direct Consultations is also attached for your kind reference.
Thank you for your attention and continued cooperation.
Regards,
--
Ardian Budhi Nugroho (Mr.)
Directorate of ASEAN Political Security Cooperation
Directorate General of ASEAN Cooperation
Ministry of Foreign Affairs-Indonesia
Jalan Taman Pejambon No. 6
Jakarta
2.
Sent: Tuesday, September 20, 2011 7:43 AM
To: xxxxxxxxxx
Subject: Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York
Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 - 6 October 2011 in New York.
A Tentative Programme of the Direct Consultations is also attached for your kind reference.
Thank you for your attention and continued cooperation.
Regards,
--
Ardian Budhi Nugroho (Mr.)
Directorate of ASEAN Political Security Cooperation
Directorate General of ASEAN Cooperation
Ministry of Foreign Affairs-Indonesia
Jalan Taman Pejambon No. 6
Jakarta
2.
From: 交通部臺灣區國道高速公路局 [mailto:n_khsa@freeway.gov.tw]
Sent: Sunday, September 25, 2011 9:47 PM
To: xxxx
Subject: 雙十國慶 國道信息必備
Sent: Sunday, September 25, 2011 9:47 PM
To: xxxx
Subject: 雙十國慶 國道信息必備
今年國慶日有三天連假,交通部高速公路局為紓解返鄉及外出車流,計畫十月八日(週六)至十日(週一)連續三天,每天淩晨零點至七點免收通行費。
Even this year, a three-day National Day holiday, the Ministry of Highways Agency to return home and go out to relieve traffic, plan 十月 八日 (周六) 10 (Mon) consecutive days, seven free daily 0:00 to tolls.
3.
3.
From: Tai Long [mailto:tailong.email@msa.hinet.net]
Sent: Thursday, September 22, 2011 9:17 PM
To: xxxx
Subject: FW:高手圖解通貨膨脹
Sent: Thursday, September 22, 2011 9:17 PM
To: xxxx
Subject: FW:高手圖解通貨膨脹
4.
From: heping [mailto:heping.a57@msa.hinet.net]
Sent: Monday, September 26, 2011 8:42 PM
To: xxxxxx
報載,日前立法院院會通過民進黨團提出老農津貼加碼案逕付二讀,將老農津貼由新台幣六千元提高到七千元。乍聽之下似乎合理,但若深入探討,不難發現加碼論述不僅荒謬,更加深老人群體的相對剝奪感,毫無公平正義可言。筆者反對政府加碼老農津貼,大致可歸納為七點。
GOOGLE translate
Subject: overweight farmer against the government subsidy (hmm, not sure translation is right - M)
According to newspaper reports, the Legislative Yuan recently proposed by the DPP group path farmer subsidy to pay the Second Reading of coded case, the farmer benefits from the NT $ six thousand yuan to 7,000. Scarcely seems reasonable, but if the depth is not difficult to find not only absurd discussion overweight, elderly groups deepened a sense of relative deprivation, there is no justice at all. I oppose the government overweight elderly farmers' subsidy can be broadly grouped into seven.
According to newspaper reports, the Legislative Yuan recently proposed by the DPP group path farmer subsidy to pay the Second Reading of coded case, the farmer benefits from the NT $ six thousand yuan to 7,000. Scarcely seems reasonable, but if the depth is not difficult to find not only absurd discussion overweight, elderly groups deepened a sense of relative deprivation, there is no justice at all. I oppose the government overweight elderly farmers' subsidy can be broadly grouped into seven.
Message Headers
1. Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New YorkReceived: (qmail 15282 invoked from network); 20 Sep 2011 11:43:17 -0000
Received: from nm30-vm4.bullet.mail.ne1.yahoo.com (HELO nm30-vm4.bullet.mail.ne1.yahoo.com) (98.138.91.190)
by xxxxxxxx
Received: from [98.138.90.55] by nm30.bullet.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
Received: from [98.138.89.245] by tm8.bullet.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
Received: from [127.0.0.1] by omp1059.mail.ne1.yahoo.com with NNFMP; 20 Sep 2011 11:43:17 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 207403.43300.bm@omp1059.mail.ne1.yahoo.com
Received: (qmail 13317 invoked by uid 60001); 20 Sep 2011 11:43:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1316518997; bh=StwR1QsG/R1k8fWRiEIWAHsH2j2NRVdmZQPs7eopHQw=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=aVhT/wyttouZH/+86SlunHqmNw2CBX/go0ryZLIGG6vMp2nWJP9rxQ3Ri4FyEcorDwcrRTEbjwXOxpSiOv2x39eb/Y5qNGLyUDMwnKPxz1WzNfpZZ8pBNkM3ZnKN4ScoIBmih5LwCCRuGQhH6T3w5iSAeIjiAwaY9iA4vl3Cyzk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
b=I+iEY+BVkromI97O3AjTKjzb1UEuQ2vO1uR3hIIs2/TOS5iGwf/trgsGD1nF2jJ2Hfeq3Ra7H7julLTyjppyKT7+0cwsDH9WuUQ1kmm3HU5Ut2SvWRSv2KIqNd/W/Nhi4fd6OSV4DuNZbCtAvt/jWvjZc9rQ2/hHZgtx8Be+Yps=;
X-YMail-OSG: 9B9TcqMVM1lHy_qBRUCFG29xoWvxONzLzLbiV71v.bXh9HW
_KB8tIyi4e4mTIicpS8Fidvcae9wy66FDe121o8.SJDUhr3MMmgAz5XLGOHJ
NlCnltWDUAQYDP6kNW.rAMJyOGa1Cr5rbWKjC4YcvcNSlniDihq5WYQI2cmp
UN7otHriwlZ64tFo1p2nWmzvWjKqVU8.qlgWyU6UOCphvzTk4o9B1XnkAVnR
ZhrSvfqsjsuMcXout6srmsecYdZII_OjDbhGCqjubiFgzhNTteUye8K2LPZq
JjHvdBiQN7PyOl0BitRaaMS504m89Xlf0IeC5WaA.afa8wphIn4KR4TBGD8b
p_FT3gdoJqjC5850J7olnYAX6OsKqtERa4iBm38VJUaO9oEZS
Received: from [68.70.82.155] by web125004.mail.ne1.yahoo.com via HTTP; Tue, 20 Sep 2011 04:43:17 PDT
X-Mailer: YahooMailClassic/14.0.5 YahooMailWebService/0.8.113.315625
Message-ID: <1316518997.12581.YahooMailClassic@web125004.mail.ne1.yahoo.com>
Date: Tue, 20 Sep 2011 04:43:17 -0700
From: Indonesia Asean
Subject: Date of the SEANWFZ Direct Consultations between ASEAN and P5 Nuclear Weapon States, New York
To: xxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="-1310913832-1844512174-1316518997=:12581"
----------------------------------------------------------------------------------------
2. 雙十國慶 國道信息必備 Double Ten National Road information necessary
Received: (qmail 15078 invoked from network); 26 Sep 2011 01:47:49 -0000
Received: from msr10.hinet.net (HELO msr10.hinet.net) (168.95.4.110)
by
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
by msr10.hinet.net (8.14.2/8.14.2) with SMTP id p8Q1jwjY015142
for; Mon, 26 Sep 2011 09:47:58 +0800 (CST)
Date: Mon, 26 Sep 2011 09:47:04 +0800
From: "=?gb2312?B?vbvNqLK/xV+es4Veh/i1wLjfy9m5q8K3vtY=?="
To: "xxxxxxxxxxxxx>
Subject: =?gb2312?B?63DKrof4kWMgh/i1wNDFz6Kx2ILk?=
Message-ID: <201109260944575125767@freeway.gov.tw>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon047735488433_====="
2. 雙十國慶 國道信息必備 Double Ten National Road information necessary
Received: (qmail 15078 invoked from network); 26 Sep 2011 01:47:49 -0000
Received: from msr10.hinet.net (HELO msr10.hinet.net) (168.95.4.110)
by
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
by msr10.hinet.net (8.14.2/8.14.2) with SMTP id p8Q1jwjY015142
for
Date: Mon, 26 Sep 2011 09:47:04 +0800
From: "=?gb2312?B?vbvNqLK/xV+es4Veh/i1wLjfy9m5q8K3vtY=?="
To: "xxxxxxxxxxxxx>
Subject: =?gb2312?B?63DKrof4kWMgh/i1wNDFz6Kx2ILk?=
Message-ID: <201109260944575125767@freeway.gov.tw>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon047735488433_====="
----------------------------------------------------------------------------------------
3. FW:高手圖解通貨膨脹 FW: expert graphic inflation
Received: (qmail 4909 invoked from network); 23 Sep 2011 01:17:47 -0000
Received: from msr4.hinet.net (HELO msr4.hinet.net) (168.95.4.104)
by
Received: from rabbit-4c4bd4d2 (59-120-16-116.HINET-IP.hinet.net [59.120.16.116])
by msr4.hinet.net (8.14.2/8.14.2) with SMTP id p8N0vmGJ002523
for xx; Fri, 23 Sep 2011 09:17:31 +0800 (CST)
Date: Fri, 23 Sep 2011 09:16:38 +0800
From: "Tai Long"
To: xxxxx
Subject: =?gb2312?B?Rlc6uN/K1ohEveLNqNibxfLDmw==?=
Message-ID: <201109230856536056629@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon217161388548_====="
Received: (qmail 4909 invoked from network); 23 Sep 2011 01:17:47 -0000
Received: from msr4.hinet.net (HELO msr4.hinet.net) (168.95.4.104)
by
Received: from rabbit-4c4bd4d2 (59-120-16-116.HINET-IP.hinet.net [59.120.16.116])
by msr4.hinet.net (8.14.2/8.14.2) with SMTP id p8N0vmGJ002523
for xx; Fri, 23 Sep 2011 09:17:31 +0800 (CST)
Date: Fri, 23 Sep 2011 09:16:38 +0800
From: "Tai Long"
To: xxxxx
Subject: =?gb2312?B?Rlc6uN/K1ohEveLNqNibxfLDmw==?=
Message-ID: <201109230856536056629@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon217161388548_====="
----------------------------------------------------------------------------------------
4 .反對政府加碼老農津貼
Received: (qmail 30334 invoked from network); 27 Sep 2011 00:43:00 -0000
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
by xxxxxxxxxxxxxxxxxxx
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
by msr6.hinet.net (8.14.2/8.14.2) with SMTP id p8R0Yigt007656
for xxxxxx; Tue, 27 Sep 2011 08:42:57 +0800 (CST)
Date: Tue, 27 Sep 2011 08:42:09 +0800
From: "heping"
To: xxxxxxxxxx
Received: (qmail 30334 invoked from network); 27 Sep 2011 00:43:00 -0000
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
by xxxxxxxxxxxxxxxxxxx
Received: from rabbit-4c4bd4d2 (59-120-1-169.HINET-IP.hinet.net [59.120.1.169])
by msr6.hinet.net (8.14.2/8.14.2) with SMTP id p8R0Yigt007656
for xxxxxx; Tue, 27 Sep 2011 08:42:57 +0800 (CST)
Date: Tue, 27 Sep 2011 08:42:09 +0800
From: "heping"
To: xxxxxxxxxx
Subject: =?gb2312?B?t7SMptX+uK6807RhwM/ecr3y2U4=?=
Message-ID: <201109270833519411080@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon686802606465_====="
Message-ID: <201109270833519411080@msa.hinet.net>
X-mailer: Foxmail 6, 15, 201, 26 [cn]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=====001_Dragon686802606465_====="
Senders
1IP: 68.70.82.155
Decimal: 1145459355
Hostname: 68-70-82-155.static.kc.surewest.net
ISP: SureWest Kansas Operations, LLC
Organization: SureWest Kansas Operations, LLC
State/Region: Kansas
City: Overland Park
----------------------------------------------------------------------------------------
2
IP: 59.120.1.169
Decimal: 997720489
Hostname: 59-120-1-169.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: CHTD, Chunghwa Telecom Co., Ltd.
----------------------------------------------------------------------------------------
3
IP: 59.120.16.116
Decimal: 997724276
Hostname: 59-120-16-116.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Chunghwa Telecom Data Communication Business Group
Country: Taiwan
State/Region: T'ai-pei
----------------------------------------------------------------------------------------
4
IP: 59.120.1.169
Decimal: 997720489
Hostname: 59-120-1-169.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: CHTD, Chunghwa Telecom Co., Ltd.
Automated Scans
1deskpan.dll
Submission date:2011-09-24 03:50:02 (UTC)
Result:16 /44 (36.4%)
http://www.virustotal.com/file-scan/report.html?id=41201ded2031a56419c1c822bd1622046665ea69dede96d873908c07fe78cd1e-1316836202
AntiVir 7.11.15.29 2011.09.23 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.09.23 Trojan/Win32.Small.gen
AVG 10.0.0.1190 2011.09.23 BackDoor.Generic14.AJZQ.dropper
BitDefender 7.2 2011.09.24 Dropped:Trojan.CryptRedol.Gen.3
ByteHero 1.0.0.1 2011.09.23 Virus.Win32.Part.a
F-Secure 9.0.16440.0 2011.09.23 Dropped:Trojan.CryptRedol.Gen.3
Fortinet 4.3.370.0 2011.09.24 -
GData 22 2011.09.24 Dropped:Trojan.CryptRedol.Gen.3
Jiangmin 13.0.900 2011.09.23 TrojanDownloader.Small.bjqc
Kaspersky 9.0.0.837 2011.09.24 HEUR:Trojan.Win32.Generic
Microsoft 1.7702 2011.09.23 Backdoor:Win32/Simbot.gen
nProtect 2011-09-23.01 2011.09.23 Dropped:Trojan.CryptRedol.Gen.3
TheHacker 6.7.0.1.307 2011.09.23 Trojan/Downloader.Small.auqu
VBA32 3.12.16.4 2011.09.23 Trojan-Downloader.Win32.Small.auqu
VIPRE 10563 2011.09.24 Trojan.Win32.Generic!BT
MD5 : 90c88267efd63fd8e22fb0809be372bc
1_multipart_xF8FF_2_Letter 878-Date Direct Consultation.doc
2011-09-28 02:06:31 (UTC)
0 /44 (0.0%)
MD5 : 027ada87ca5051f0c4108a0346e9b213
----------------------------------------------------------------------------------------
2
deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)
Antivirus Version Last Update Result
AntiVir 7.11.15.52 2011.09.27 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.09.27 Trojan/Win32.Small.gen
AVG 10.0.0.1190 2011.09.28 BackDoor.Generic14.AJZQ.dropper
BitDefender 7.2 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
ByteHero 1.0.0.1 2011.09.23 Virus.Win32.Part.a
F-Secure 9.0.16440.0 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
GData 22 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
Jiangmin 13.0.900 2011.09.27 TrojanDownloader.Small.bjqc
Kaspersky 9.0.0.837 2011.09.28 HEUR:Trojan.Win32.Generic
Microsoft 1.7702 2011.09.27 Backdoor:Win32/Simbot.gen
nProtect 2011-09-27.01 2011.09.27 Dropped:Trojan.CryptRedol.Gen.3
Rising 23.77.01.04 2011.09.28 Suspicious
TheHacker 6.7.0.1.312 2011.09.27 Trojan/Downloader.Small.auqu
VBA32 3.12.16.4 2011.09.27 Trojan-Downloader.Win32.Small.auqu
Additional information
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
File name:
____.doc
Submission date:
2011-09-28 16:46:17 (UTC)
Result:0/ 43 (0.0%)
MD5 : a67c7842e395dfd82b133c31d1cc83ee
----------------------------------------------------------------------------------------
3
deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)
Antivirus Version Last Update Result
AntiVir 7.11.15.52 2011.09.27 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.09.27 Trojan/Win32.Small.gen
AVG 10.0.0.1190 2011.09.28 BackDoor.Generic14.AJZQ.dropper
BitDefender 7.2 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
ByteHero 1.0.0.1 2011.09.23 Virus.Win32.Part.a
F-Secure 9.0.16440.0 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
GData 22 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
Jiangmin 13.0.900 2011.09.27 TrojanDownloader.Small.bjqc
Kaspersky 9.0.0.837 2011.09.28 HEUR:Trojan.Win32.Generic
Microsoft 1.7702 2011.09.27 Backdoor:Win32/Simbot.gen
nProtect 2011-09-27.01 2011.09.27 Dropped:Trojan.CryptRedol.Gen.3
Rising 23.77.01.04 2011.09.28 Suspicious
TheHacker 6.7.0.1.312 2011.09.27 Trojan/Downloader.Small.auqu
VBA32 3.12.16.4 2011.09.27 Trojan-Downloader.Win32.Small.auqu
Additional information
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
File name:
___________________.doc
Submission date:2011-09-28 16:49:14 (UTC)
MD5 : 9bbdc627e72941c4a7f15aaff1faa934
----------------------------------------------------------------------------------------
4
deskpan.dll
2011-09-28 04:22:18 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ae6f4f1f4483149c39f3741e2b4b2c9964ae80f1322dcba0c6d7781a57f03bef-1317183738
Result:15 /43 (34.9%)
Antivirus Version Last Update Result
AntiVir 7.11.15.52 2011.09.27 TR/Hijacker.Gen
Antiy-AVL 2.0.3.7 2011.09.27 Trojan/Win32.Small.gen
AVG 10.0.0.1190 2011.09.28 BackDoor.Generic14.AJZQ.dropper
BitDefender 7.2 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
ByteHero 1.0.0.1 2011.09.23 Virus.Win32.Part.a
F-Secure 9.0.16440.0 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
GData 22 2011.09.28 Dropped:Trojan.CryptRedol.Gen.3
Jiangmin 13.0.900 2011.09.27 TrojanDownloader.Small.bjqc
Kaspersky 9.0.0.837 2011.09.28 HEUR:Trojan.Win32.Generic
Microsoft 1.7702 2011.09.27 Backdoor:Win32/Simbot.gen
nProtect 2011-09-27.01 2011.09.27 Dropped:Trojan.CryptRedol.Gen.3
Rising 23.77.01.04 2011.09.28 Suspicious
TheHacker 6.7.0.1.312 2011.09.27 Trojan/Downloader.Small.auqu
VBA32 3.12.16.4 2011.09.27 Trojan-Downloader.Win32.Small.auqu
Additional information
MD5 : 95eba76c46e6a5e516de4b1a2cbe052e
__________.doc
Result:
0 /42 (0.0%)
Additional information
MD5 : 13bf854264b79b99b0b5e501c797693c
Payload
I think i managed to trigger the exploit once but I could not reproduce it. The first is different from the other three, it was meant for USA targets. The others are from Taiwan and meant for targets in Taiwan.
Trojan taidoor is in all of the samples
hello. my friend
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteJust a quick note. There needs to be a '.' between the folder name and the bracket of the classid. For more information see http://blog.acrossecurity.com/2011/05/anatomy-of-com-server-based-binary.html
ReplyDeleteDelete & Edit - wrote 'file' rather 'folder'
How to get rid of Fruit Flies
ReplyDeleteHi Mila,I love the Information... Great Blog Post...
A very good blog about malware.
ReplyDeleteExplained about file information,messages and automated scans etc.
Thanks.