Here is one more sample. Call home to 112.213.126.67 googlemail.proxydns.comCommon Vulnerabilities and Exposures (CVE)number
CVE-2010-2883
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.
General File Information
File: RR_111015(DRAFT).pdfSize: 200678
MD5: E21FD1826FA8D021C845E857BF092A90
Download
Original Message
From: Yamagu Tikeiko [mailto:yamagu.tikeiko@yahoo.com] To:xxxxxxxxxxx
Subject: my recent report on the coming Presidential Election in TW
Hi all,
Attached is my recent report on the coming Presidential Election in TW. I like to have your points of view before the end of the week.
Thanks all,
Yamagu Tikeiko
Message Headers
Received: (qmail 16432 invoked from network); 17 Oct 2011 16:45:52 -0000Received: from nm8-vm1.bullet.mail.sp2.yahoo.com (HELO nm8-vm1.bullet.mail.sp2.yahoo.com) (98.139.91.195)
xxxx
Received: from [98.139.91.69] by nm8.bullet.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
Received: from [98.139.91.11] by tm9.bullet.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
Received: from [127.0.0.1] by omp1011.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 267923.22950.bm@omp1011.mail.sp2.yahoo.com
Received: (qmail 31877 invoked by uid 60001); 17 Oct 2011 16:45:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1318869950; bh=vVR5GXwhn0xgmLGuqyZCnaSaHzDc3Y0QcL7cH/UIYN8=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=g/m9g8hQG/0pEKuhmn51COxhcYG+9bIZnoIDOamJaGoFeB6yikkhKKyJhl51cm5h1VHoJ7dHeS08OWrUNKoPm+r4MGhs+EzMrwxhysV095MDaX0X2aCW3063g45L7tQT/YhCxxUkQEKyKNf7J51Kh98D/gDgStMqI1ADnTPdTmY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
b=xR6QzxY1l6CELvBg7I9A0ULDA/y4sv7GKwEgiCUsLpKF+27ldCY9KXu7UTqY+V3jxMB6qF4oOhhQCa2WAM6BPF4zkR9LWCoaQDjVioZkvRgvqnT6iOVPE8GPNe2b76fry2LTDWMWsl+NqDAveuuihhcVZwHpAQh+OjofQkEgb50=;
X-YMail-OSG: T1aSh6wVM1mF_hc_2mHCm3hHlqHAgILyk9FlnghdvV43H2C
5nv_qdLSzvP9aDCfppHkmkjdv_7cJi_rzLe7ULpGRlTGwp9PWirKEQ4kA4U.
JJoV082aB809woc6CoTtTdY7ZpwP_6NllY6Lq3LYEWitLSnr2h.5Ds.qe6mn
fb3jREZGFvJui57wVyDopGFnZ.XEdf1B.bw0Mrx0ImtfIV9Q0FrYcM_RPwrv
RRwgt436kzke_6Agfq5RgLGet4jerVLiZF.lqbz8BhEo93bN.wMp0EV8Ipy3
1oLavbo9Qbv3_C5jipLJj1wgeD6MP2lGbu_3FyxrCUdKdZ3VlUrk82sacNzp
TaRDnNWCpTx97b9VGLqA8VmQF_Ro4T.zFoB1PH_b6j_RC7sP3hkvG97MH3G_
XIduvUZXfGIu5rQyLGUvc1L7aGKTFbLUyye4-
Received: from [64.27.23.17] by web114210.mail.gq1.yahoo.com via HTTP; Mon, 17 Oct 2011 09:45:50 PDT
X-Mailer: YahooMailWebService/0.8.114.317681
References:
Message-ID: <1318869950.31749.YahooMailNeo@web114210.mail.gq1.yahoo.com>
Date: Mon, 17 Oct 2011 09:45:50 -0700
From: Yamagu Tikeiko <yamagu.tikeiko@yahoo.com>
Reply-To: Yamagu Tikeiko <yamagu.tikeiko@yahoo.com>
Subject: my recent report on the coming Presidential Election in TW
To: xxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="-878282960-1853156358-1318869950=:31749"
Sender
64.27.23.17
64.27.0.0 - 64.27.31.255
CALPOP.COM, INC.
600 W. 7th Street
Suite 360
Los Angeles
CA
90017
United States
Automated Scans
RR_111015(DRAFT).pdfSubmission date:2011-10-17 21:29:54 (UTC)
Result:16 /43 (37.2%)
AntiVir 7.11.16.29 2011.10.17 EXP/CVE-2010-2883.AC
Avast 6.0.1289.0 2011.10.17 JS:Pdfka-gen [Expl]
AVG 10.0.0.1190 2011.10.17 Script/Exploit
BitDefender 7.2 2011.10.17 Exploit.PDF-TTF.Gen
ClamAV 0.97.0.0 2011.10.17 PUA.Script.PDF.EmbeddedJS-1
DrWeb 5.0.2.03300 2011.10.17 Exploit.PDF.2477
eTrust-Vet 36.1.8624 2011.10.17 PDF/CVE-2010-2883.A!exploit
F-Secure 9.0.16440.0 2011.10.17 Exploit.PDF-TTF.Gen
Fortinet 4.3.370.0 2011.10.17 PDF/CoolType!exploit.CVE20102883
GData 22 2011.10.17 Exploit.PDF-TTF.Gen
Kaspersky 9.0.0.837 2011.10.17 Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition 2010.1D 2011.10.17 Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft 1.7702 2011.10.17 Exploit:Win32/CVE-2010-2883.A
NOD32 6551 2011.10.17 PDF/CVE-2010-2883
Norman 6.07.11 2011.10.17 TTF/Exploit!CVE-2010-2883
MD5 : e21fd1826fa8d021c845e857bf092a90
Created files
Temp\spoolsv.exe
File: spoolsv.exe
Size: 155648
MD5: 132015EE7AF53863E88AFB080F0B4CC8
http://anubis.iseclab.org/?action=result&task_id=1eb450625e1508be4c184a35a99d45fb0&format=html
spoolsv.exe
2011-10-26 11:15:38 (UTC)
Result:7/ 43 (16.3%)
AntiVir 7.11.16.146 2011.10.26 TR/Crypt.XPACK.Gen2
BitDefender 7.2 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Emsisoft 5.1.0.11 2011.10.26 Trojan.Win32.Riern!IK
F-Secure 9.0.16440.0 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Fortinet 4.3.370.0 2011.10.26 W32/Pincav.XGB!tr
GData 22 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Ikarus T3.1.1.107.0 2011.10.26 Trojan.Win32.Riern
MD5 : 132015ee7af53863e88afb080f0b4cc8
File: spoolsv.exe
Size: 155648
MD5: 132015EE7AF53863E88AFB080F0B4CC8
http://anubis.iseclab.org/?action=result&task_id=1eb450625e1508be4c184a35a99d45fb0&format=html
spoolsv.exe
2011-10-26 11:15:38 (UTC)
Result:7/ 43 (16.3%)
AntiVir 7.11.16.146 2011.10.26 TR/Crypt.XPACK.Gen2
BitDefender 7.2 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Emsisoft 5.1.0.11 2011.10.26 Trojan.Win32.Riern!IK
F-Secure 9.0.16440.0 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Fortinet 4.3.370.0 2011.10.26 W32/Pincav.XGB!tr
GData 22 2011.10.26 Gen:Trojan.Heur.PT.jmW@aO5Q4
Ikarus T3.1.1.107.0 2011.10.26 Trojan.Win32.Riern
MD5 : 132015ee7af53863e88afb080f0b4cc8
Traffic
112.213.126.67
112.213.126.0 - 112.213.126.255
NOC.HK
Email: IDC@NOC.HK
Ken Chan
iprs.snl@gmail.com
7/F, TRANS ASIA CTR
18 KIN HONG ST, KWAI CHUNG
phone: +852 2125 0455
| Web Site | ||||
|---|---|---|---|---|
| 86349.com | ||||
| 79349.com | ||||
| 64956.com | ||||
| 64269.com | ||||
| 63709.com | ||||
| 45529.com |
| 86349.com |
gudong da
pudongxinqu15555hao
shanghai, shanghai 200120
China
Domain Name: 86349.COM
Created on: 14-Apr-11
Expires on: 14-Apr-12
Last Updated on: 14-Apr-11
Administrative Contact:
da, gudong
pudongxinqu15555hao
shanghai, shanghai 200120
China
006 Fax --
No comments:
Post a Comment