Clicky

Pages

Monday, May 10, 2010

May 10 CVE-2009-3129 XLS schedule of the defense industry evaluation from 0922750173@mail.ahccddi.org.tw


 Download  d4b98bda9c3ae0810a61f95863f4f81e  ATT39755.xls and all the files described below as a password protected archive (contact me if you need the password) 


From: ¤u¦X•|³ø [mailto:0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99下半年國防工業評鑑日期表

檢送99下半年國防工業評鑑日期表文件乙份,請查照!
                 蕭名槐  敬上
From: ¤ u | X • | ³ ø [mailto: 0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99 in the second half schedule of the defense industry evaluation

                                                                       Sincerely, Huai Hsiao

Headers
Received: (qmail 314 invoked from network); 10 May 2010 13:54:05 -0000
Received: from mailsnd3.chollian.net (HELO mailsnd3.chol.com) (203.252.1.124)
  by XXXXXXXXXXXXXXXXXXXwith SMTP; 10 May 2010 13:54:05 -0000
Received: (qmail 2745 invoked from network); Mon, 10 May 2010 22:53:58 +0900 (KST)Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd3.chol.com with ESMTP;
 Mon, 10 May 2010 22:53:58 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@0922750173212af2ce2>
From: "?u?X?|??" <0922750173@mail.ahccddi.org.tw>
To: XXXXXXXXXXXXXXXXXX
Subject: =?big5?B?OTmkVaVipn6w6qi+pHW3frX7xbKk6bTBqu0=?=
Date: Mon, 10 May 2010 21:37:50 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CAF089.0C84DC60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

202.65.223.202
Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
ISP:    Genesis Net Limited
Organization:    Tsuen Wan
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong
 City:    Central District

  File ATT39755.xls received on 2010.06.03 11:27:14 (UTC)
http://www.virustotal.com/analisis/616b561b49258346ead431e34fb1925e2dbc11fb4620083efae92d7ed8e5333c-1275564434
Result: 7/41 (17.08%)
Jiangmin    13.0.900    2010.06.03    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.03    Trojan-Dropper.MSExcel.Agent.bc
Heuristic.BehavesLike.Exploit.X97.CodeExec.FFLG
PCTools    7.0.3.5    2010.06.03    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.03    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
Additional information
File size: 72192 bytes
MD5...: d4b98bda9c3ae0810a61f95863f4f81e

 Files created
%Userprofile%\LOCALS~1\Temp\wuauclt.exe  
 File: wuauclt.exe  Size: 31232   MD5:  D037500368207625E3FFEE16C50D60A7
%Userprofile%\LOCALS~1\Temp\ ATT39755.xls
File: ATT39755.xls Size: 13824 MD5:  75B495C8324C4DCF5A0B2CFCACC47971  == clean xls file

http://www.virustotal.com/reanalisis.html?1a15e1c3220e8d1800bb7b186e9d47f63aefd669cd0f1569a79982498d5d9ba6-1275579814
File wuauclt.exe-- received on 2010.06.02 00:43:59 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5802 2010.06.02 Backdoor:Win32/Ixeshe.A
Norman 6.04.12 2010.06.01 W32/Malware
TrendMicro 9.120.0.1004 2010.06.01 BKDR_IXESHE.SM
TrendMicro-HouseCall 9.120.0.1004 2010.06.02 BKDR_IXESHE.SM
Additional information
File size: 31232 bytes
MD5   : d037500368207625e3ffee16c50d60a7



 TCP traffic to 211.78.147.220

 
  Hostname:    ll-211-78-147-220.ll.sparqnet.net
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    Lill Guan Industry co., LTD
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
City:    Taichung

Posted by Mila at 12:26 PM 0 comments Tags: , , , , , , , ,

May 9 CVE-2010-0188 PDF Concept Paper.pdf from global.faruk@gmail.com

Download Concept_Paper.pdf  c06ef052db6710fd632952cc14917d84  ac as a password protected archive (please contact me for the password if you need it)
Nothing new or special in this one except the text of the message appears to be stolen from a real message or is a very good fake. This sender sent a message before http://contagiodump.blogspot.com/2010/04/apr-2-cve-2009-0927-cve-2007-5659-pdf.htmlDetection is as low as it was a month ago, not much improvement on this CVE (M)


Details Concept_Paper.pdf c06ef052db6710fd632952cc14917d84 
File Concept_Paper.pdf received on 2010.05.10 11:14:19 (UTC)
http://www.virustotal.com/analisis/e3366fd2b4ff485840c147ea2eb811e793616a5a8bb2e1abfb4d37a03e53d774-1273490059
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.10    JS/CVE20100
Avast    4.8.1351.0    2010.05.09    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.09    PDF:CVE-2010-0188
GData    21    2010.05.10    PDF:CVE-2010-0188
eTrust-Vet    35.2.7477    2010.05.10    PDF/CVE-2010-0188!exploit
Sophos    4.53.0    2010.05.10    Troj/PDFJs-II
Additional information
File size: 172952 bytes
MD5...: c06ef052db6710fd632952cc14917d84








From: 呂參謀 [mailto:global.faruk@gmail.com]
Sent: Sunday, May 09, 2010 9:30 PM
To: XXXXXXXXXXXXXXXXXXXXXX
Subject: Fwd: ASEM Cooperation on Capacity Building of Disaster Relief


---------- Forwarded message ----------
From: Alan D. Romberg
Date: 2010/5/7 20:11
Subject: RE: Yang's bio. doc
To: Andrew Nien-Dzu Yang
Cc: 毛 毛


Dear Andrew –

Although I am going to be away (in Korea) next week, I want to get out an invitation to your talk so people will mark it on their calendars.

I am attaching a draft for your approval. I am assuming that, since you are giving a similar talk “on the record” at Harvard, your talk at Stimson will also be “on the record.” But if you want to tell all of your most closely-held secrets to our audience (while only giving fluff to Steve’s group at Harvard), I’m happy to make it off the record or at least “not for attribution.” Let me know.

Please let me have your feedback on the invitation text.

While the invitations are generally issued electronically, they are also printed up. So I may need to cut back a bit on the bio stuff to make it fit on one page, but I hope not. But I wanted to make you aware of that. However, I didn’t want to take more time to fiddle with formatting now before sending it to you (and LtCol Mao) for your OK.

Thanks. Looking forward to seeing you.

Best.

Alan


Posted by Mila at 7:43 AM 0 comments Tags: , , , ,

Thursday, May 6, 2010

May 6 CVE-2010-0188 PDF birthday briefing series from spoofed jjsung@ntu.edu.tw

Download  d80eb21cfe8ad1a710c8652b13f8b7 ATT59802.pdf ac as a password protected archive (please contact me for the password if you need it)

Details d80eb21cfe8ad1a710c8652b13f8b7 ATT59802.pdf   


Virustotal
 File ATT59802.pdf received on 2010.05.06 18:49:42 (UTC)
Result: 6/41 (14.64%)
Avast    4.8.1351.0    2010.05.06    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.06    PDF:CVE-2010-0188
eTrust-Vet    35.2.7471    2010.05.06    PDF/CVE-2010-0188!exploit
Kaspersky    7.0.0.125    2010.05.06    Exploit.Win32.Pidief.dch
Sophos    4.53.0    2010.05.06    Troj/PDFJs-II
Additional information
File size: 106855 bytes6
MD5...: d80eb21cfe8ad1a710c8652b13f8b7ac

 

-----Original Message-----
From: jjsung@ntu.edu.tw [mailto:jjsung@ntu.edu.tw]
Sent: 2010-05-06 10:34 AM
To: XXXXXXXXXXXX
Subject: 蔡政文教授七十華誕系列活動簡報

XXXXXXXXXXXXX

今年適逢我國政治學界耆老、臺大政治學系名譽教授、國策顧問、國家政策研究基金會執行長蔡政文教授七秩華誕,為祝賀蔡教授七秩榮慶,及表達國內政治學同道景仰之意,籌委會特別規劃系列活動,以玆慶賀。
一、蔡政文教授七十華誕學術論文研討會
謹訂於今年5月29、30兩日假台大社科院國際會議廳舉辦「全球、兩岸、臺灣—蔡政文教授七十華誕學術論文研討會」,此次研討會主題訂為「全球、兩岸、臺灣」,也正呼應馬總統「壯大臺灣、連結兩岸、布局全球」的整體大戰略,歡迎蔡教授的門生故舊與知交友好踴躍賜稿外,亦請政治學先進與同道惠賜宏文,共襄盛舉。
二、大陸地區賀壽團來訪
為擴大參與並推動兩岸學術交流,探討「壯大臺灣、連結兩岸、布局全球」之當前國家發展方針,藉此加速大陸民主化之進程,同時邀集與蔡老師有深厚情誼的江蘇省海峽兩岸關係研究會、中國社科院台灣研究所等重要涉台智庫組團來臺祝賀,共襄盛舉。與會大陸學者除參與論文研討會外,會後並安排大陸學者南下參訪政經建設。
來臺賀壽團名單:
江蘇省海峽兩岸關係研究會:路進明副會長暨夫人
台研所:朱副所長衛東、田主任賀民、高劍副主任、柳英助理研究員、汪助理研究員曙申、陳助理研究員詠江等六人
南京大學:張永桃副校長(中國政治學會副會長)、張鳳陽院長
三、蔡政文教授七十華誕祝壽晚宴
預定於99年5月29日(星期六)晚上六點舉行,晚宴席設上海鄉村首都店。
蔡老師自民國63年指導學生林嘉誠撰寫〈大衛‧伊士頓之政治理論〉碩士論文起,截至99年4月底,指導學生共計有25位博士、98位碩士。
蔡老師的每位指導學生,畢業後都能謹遵師訓,在工作崗位上有傑出的表現,未曾辜負老師的嚴格訓練。
蔡老師的門生、故舊、同事、部屬都期盼能躬逢其盛,為蔡老師舉辦一場祝壽晚宴,以表達心中的感謝與祝福!

----------------------------------------------------------------------
若有任何垂詢事項,請洽:
籌委會總幹事  宋紀均
電話:0932-322-687;傳真:(02) 2367-9708;
電子信箱:jjsung@ntu.edu.tw
----- Original Message -----From: jjsung@ntu.edu.tw [mailto: jjsung@ntu.edu.tw]Sent: 2010-05-06 10:34 AMTo: XXXXXXSubject: Professor Cai Zhengwen 70 birthday briefing seriesXXXX Hello:This year marks the country's political circles and seniors, National Taiwan University political science professor emeritus, national policy advisor to the National Policy Research Foundation, Professor Cai Zhengwen Seventieth Birthday, Professor Zhu Hecai seven to rank Rongqing, and expression of admiration of fellow domestic politics means , the PC series of special planning activities to celebrate hereby.First, Professor Cai Zhengwen 70 birthday academic seminarTo be held May 29-30 this year, a two-day leave held at National Taiwan University International Conference Hall, Academy of Social Sciences, "global, cross-strait, Taiwan - 70 birthday of Professor Cai Zhengwen academic seminar", the theme of the seminar as a "global, cross-strait , Taiwan ", are also echoed President Ma of" strengthening Taiwan, connecting both sides of the layout of the world, "the overall grand strategy, welcomed Professor Cai friendly and enthusiastic disciple old friends and fraternity grant the draft, but also advanced and fellow political science please give Wang Hui Wen, join the festivities.Second, the mainland delegation's visit Birthday GreetingsTo expand the participation and promote cross-strait academic exchanges, of "strengthening Taiwan, connecting both sides of the layout of the world" in the current national development policy to accelerate the democratization process in mainland China, and invited Tsai has a profound friendship with the Jiangsu Province-Strait Relations Research Council, the Chinese Academy of Social Sciences Institute of Taiwan Studies, and other important Taiwan-related think tanks to organize groups to congratulate the endeavor. In addition to participating scholars from mainland China to participate thesis seminars will be arranged after visiting mainland scholars south political and economic development.Taiwan Yoshihisa group list:Jiangsu Province of cross-strait relations will be: Way into the next vice chairman and his wifeTaiwan Research Institute: Deputy Director Zhu Weidong, landowner Renhe Min, Gao Jian, deputy director, Liu Ying, an assistant researcher, assistant researcher Wang Shu Shen, Yong Jiang Dengliu Ren Chen, an assistant researcherNanjing: Zhang Tao, Vice President (Vice President of Chinese Political Science Association), Zhang Fengyang DeanThird, Professor Cai Zhengwen 70 birthday birthday dinnerScheduled for 5 月 29 日 99 (星期六) 18:00 held a dinner I set up shop in Shanghai Rural capital.Tsai guide students from the Republic of China Lin Chia-cheng 63 years to write master's thesis on, at 99 years by the end of April, guiding students to a total of 25 doctoral, 98 master's degree.Tsai's guide for each student upon graduation can Jinzun teacher training, in the workplace have outstanding performance, did not live up to the rigorous training of teachers.Tsai's disciple, and old friends, colleagues, subordinates all look forward to critical keepers, to host a birthday dinner Tsai, to express their thanks and best wishes!-------------------------------------------------- --------------------If you have any inquiries matters, please contact:Director-General of the Preparatory Committee of Song Ji areTel :0932-322-687; Fax: (02) 2367-9708;E-mail: jjsung@ntu.edu.tw

 Headers
Received: from wmail1.cc.ntu.edu.tw (HELO wmail1.cc.ntu.edu.tw) (140.112.2.161)
  by XXXXXXXwith DHE-RSA-AES256-SHA encrypted SMTP; 6 May 2010 14:33:45 -0000
Received: from localhost (localhost [127.0.0.1])
    by wmail1.cc.ntu.edu.tw (Postfix) with ESMTP id 9DABE35E841
    for XXXXXXXXX; Thu,  6 May 2010 22:33:42 +0800 (CST)
Received: from 218.94.121.180 ([218.94.121.180]) by wmail1.cc.ntu.edu.tw
 (Horde Framework) with HTTP; Thu, 06 May 2010 22:33:42 +0800
Message-ID: <20100506223342.59074hzo2e1mojly@wmail1.cc.ntu.edu.tw>
Date: Thu, 6 May 2010 22:33:42 +0800
Disposition-Notification-To: jjsung@ntu.edu.tw
From: jjsung@ntu.edu.tw



Hostname:    218.94.121.180
ISP:    Data Communication Division
Organization:    CHINANET jiangsu province network
Country:    China cn flag
State/Region:    Beijing
City:    Beijing
Posted by Mila at 3:18 PM 0 comments Tags: , , , ,

Wednesday, May 5, 2010

May 5 CVE-2010-0188 PDF 2010-05-06 Asian Pacific Security stuff from samuelberger19@yahoo.com


Download  0999aef064dc91d68d48df3d7c1482e4  Assessing_the_Asian_Balance.pdf as a password protected archive (please contact me for the password if you need it)

Details 0999aef064dc91d68d48df3d7c1482e4 Assessing_the_Asian_Balance.pdf


http://www.virustotal.com/analisis/20e241ba72b751ea9b5b46617d27c6572f98dc216140ed002f30d2a169f16ee2-1273171733
File Assessing_the_Asian_Balance.pdf received on 2010.05.06 18:48:53 (UTC)
Result: 6/41 (14.64%)
Avast    4.8.1351.0    2010.05.06    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.06    PDF:CVE-2010-0188
eTrust-Vet    35.2.7471    2010.05.06    PDF/CVE-2010-0188!exploit
GData    21    2010.05.06    PDF:CVE-2010-0188
Kaspersky    7.0.0.125    2010.05.06    Exploit.Win32.Pidief.dch
Additional information
File size: 124874 bytes
MD5...: 0999aef064dc91d68d48df3d7c1482e4













From: Samuel Berger [mailto:samuelberger19@yahoo.com]
Sent: 2010-05-04 9:46 AM
To: XXXXXXXXXXXXXXXXXXXXX
Subject: Asian Pacific Security stuff if you are interested

Dear Colleague,
Hope this mail finds you well. Attached is my latest paper on military balance in Asia.
The purpose of this essay is to begin redressing the absence of a scholarly debate on today’s military balances. In short, I will 1) analyze certain aspects of the scholarly debate on Cold War balances to identify lessons we might learn for the assessment of Asian-Pacific balances today; 2) identify America’s security interests in the Pacific; and 3) analyze the pasts debates over military balances and assess current U.S. Asian interests to offer ways to think about the balance of power in a region of growing importance.
I am sending it in two versions that are little different in content. Part One has it in Word form, while Part Two has it in PDF form. One reason for this is that the smaller PDF form may be easier to manage. Also, it is easier to markup the PDF with comments.

Best,
Samuel



Headers
Received: (qmail 5604 invoked from network); 4 May 2010 13:46:07 -0000
Received: from web114501.mail.gq1.yahoo.com (HELO web114501.mail.gq1.yahoo.com) (98.136.183.9)
  by XXXXXXXXXXXXXX  SMTP; 4 May 2010 13:46:07 -0000
Received: (qmail 13807 invoked by uid 60001); 4 May 2010 13:46:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1272980766; bh=J3HYNvCvCDyPvkGgmftWQ8+zXbK454RBqFWFVNLeREc=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=joG8+M0RpG1PiqtkD9078vYk62Fip4emnVHfPGe3yF0VDmLdOVo5pVkBFcvatipshgRZgTtXdwFuwFcPhoTM0OQqfxmxWs7MJ0WCrKLccJ710pmzs9agP15XxmOvugjvke7AuKmPRd6dNYldgNFhwnEhI8wVZD/qT66eL7VbZm4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=1n+A//g4la4ygH85zo+bAofKE8QFyK/8bvJeD2JUxKMQaeAbZ09Lr+Zs80QOOFmYTQP8PPkMSRPQwVfVNGeIDdB1tr2kuUiGAKZ4T14zi7mB2aWN2D3WO85aU779HQ27fkdenU2B71kV8ZkEDgKmEsmGjnd9HDfSyEbOCh9g5cA=;
Message-ID: <418000.60485.qm@web114501.mail.gq1.yahoo.com>
X-YMail-OSG: WFPXxRAVM1k.IwoUJ0A1Rl6ADrcxY3z1LZO4P7F_yPzchs9
 1E3PDb34L
Received: from [66.197.176.8] by web114501.mail.gq1.yahoo.com via HTTP; Tue, 04 May 2010 06:46:05 PDT
X-Mailer: YahooMailClassic/10.1.11 YahooMailWebService/0.8.103.269680
Date: Tue, 4 May 2010 06:46:05 -0700
From: Samuel Berger
Subject: Asian Pacific Security stuff if you are interested
To: XXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1791380416-1272980765=:60485"

66.197.176.8
Hostname:    swhosting.ie
ISP:    Network Operations Center
Organization:    SOUTHWEST TECHNOLOGIES
Assignment:    Static IP
State/Region:    Pennsylvania
City:    Scranton

 
Posted by Mila at 6:01 PM 0 comments Tags: , , ,

Friday, April 30, 2010

Apr 30 CVE-2010-0188 PDF North Korea's Radio Waves of Resistance fromdavidaustin3@yahoo.com

Details 2b4b5e0ce5a19d81ea918f50f56ff8d0 North_Korea_update.pdf 


From: David Austin [mailto:davidaustin3@yahoo.com]
Sent: Friday, April 30, 2010 2:00 AM
To: XXXXXXXXXXXXX
Subject: North Korea's Radio Waves of Resistance
Importance: Low
North Korea's Radio Waves of Resistance

By Peter M. Beck | April 27, 2010

North Korea remains the most isolated country on earth, with its people
effectively cut off from the outside world?or so the world has been told.
But there is reason to believe this is no longer the case. My research
suggests millions of North Koreans listen to or hear about foreign radio
broadcasts. There is evidence the numbers are growing.

Attachments
     http://www.virustotal.com/analisis/a967a1523f859cfbd69de0d5f9f70228e100ec9d7bf07066cbfb206b8e4d4b23-1272627594
     File North_Korea_update.pdf received on 2010.04.30 11:39:54 (UTC)
    Result: 13/40 (32.5%)
    AhnLab-V3    2010.04.30.02    2010.04.30    PDF/Cve-2010-0188
    Avast    4.8.1351.0    2010.04.30    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.30    PDF:CVE-2010-0188
    AVG    9.0.0.787    2010.04.30    Exploit_c.DEY
    BitDefender    7.2    2010.04.30    Exploit.PDF-EXE.Gen
    DrWeb    5.0.2.03300    2010.04.30    Exploit.PDF.758
    eSafe    7.0.17.0    2010.04.29    PDF.Exploit
    F-Secure    9.0.15370.0    2010.04.30    Exploit.PDF-EXE.Gen
    GData    21    2010.04.30    Exploit.PDF-EXE.Gen
    Rising    22.45.04.03    2010.04.30    Hack.Exploit.PDF.aem
    Sophos    4.53.0    2010.04.30    Troj/PDFJs-II
    Sunbelt    6241    2010.04.30    Exploit.PDF.CVE-2010-0806 (v)  - Sunbelt, this is a wrong name
    VirusBuster    5.0.27.0    2010.04.29    JS.Crypt.UQBF
    Additional information
    File size: 240872 bytes
    MD5...: 2b4b5e0ce5a19d81ea918f50f56ff8d0

    Received: from [123.125.156.138] by web114410.mail.gq1.yahoo.com via HTTP; Thu, 29 Apr 2010 22:59:34 PDT
    X-Mailer: YahooMailRC/348.5 YahooMailWebService/0.8.103.269680
    Date: Thu, 29 Apr 2010 22:59:34 -0700
    From: David Austin
    Subject: North Korea's Radio Waves of Resistance


          Hostname:    123.125.156.138
          ISP:    China Unicom Beijing Province Network
          Organization:    China Unicom Beijing Province Network
          Proxy:    Suspected network sharing device.
          Country:    China
          State/Region:    Beijing
          City:    Beijing
    http://www.robtex.com/ip/123.125.156.138.html#whois

    inetnum: 123.112.0.0 - 123.127.255.255
    netname: UNICOM-BJ
    descr: China Unicom Beijing province network
    descr: China Unicom
    country: CN
    admin-c: CH1302-AP
    tech-c: SY21-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-BJ
    mnt-routes: MAINT-CNCGROUP-RR
    status: ALLOCATED PORTABLE
    person: ChinaUnicom Hostmaster
    nic-hdl: CH1302-AP
    e-mail: abuse@chinaunicom.cn
    address: No.21,Jin-Rong Street
    address: Beijing,100140
    address: P.R.China
    phone: +86-10-66259940
    fax-no: +86-10-66259764
    country: CN
    changed: abuse@chinaunicom.cn 20090408
    mnt-by: MAINT-CNCGROUP
    source: APNIC

    person: sun ying
    address: fu xing men nei da jie 97, Xicheng District
    address: Beijing 100800
    country: CN
    phone: +86-10-66030657
    fax-no: +86-10-66078815
    e-mail: hostmast@publicf.bta.net.cn
    nic-hdl: SY21-AP
    mnt-by: MAINT-CNCGROUP-BJ
    changed: suny@publicf.bta.net.cn 19980824
    changed: hm-changed@apnic.net 20060717
    changed: hostmast@publicf.bta.net.cn 20090630
    source: APNIC
    Posted by Mila at 7:56 AM 0 comments Tags: , , , ,

    Apr 26 CVE-2009-4324 w low detection and CVE-2010-0188 Symposium from smiles@mail.knu.edu.tw



    UPDATE APRIL 30 
    a bit of progress

    File ATT42909.pdf received on 2010.04.30 11:09:44 (UTC)
    Result: 9/41 (21.96%)
    Avast    4.8.1351.0    2010.04.30    JS:Pdfka-AEE
    Avast5    5.0.332.0    2010.04.30    JS:Pdfka-AEE
    F-Secure    9.0.15370.0    2010.04.30    Exploit:W32/Pidief.COJ
    GData    21    2010.04.30    JS:Pdfka-AEE
    Kaspersky    7.0.0.125    2010.04.30    Exploit.JS.Pdfka.ceg
    McAfee    5.400.0.1158    2010.04.30    Exploit-PDF.q.gen!stream
    Sophos    4.53.0    2010.04.30    Troj/PDFJs-GQ
    Symantec    20091.2.0.41    2010.04.30    Trojan.Pidief.H
    TrendMicro-HouseCall    9.120.0.1004    2010.04.30    JS_UTOTI.LS
    Additional information
    File size: 129722 bytes
    MD5...: 536c0afe4d655a66dccad4af9679caa9

    File ATT85645.pdf received on 2010.04.30 11:16:13 (UTC)
    Result: 6/40 (15.00%)
    Avast 4.8.1351.0 2010.04.30 PDF:CVE-2010-0188
    Avast5 5.0.332.0 2010.04.30 PDF:CVE-2010-0188
    ClamAV 0.96.0.3-git 2010.04.30 Exploit.PDF-22737
    eTrust-Vet 35.2.7460 2010.04.30 PDF/CVE-2010-0188!exploit
    GData 21 2010.04.30 PDF:CVE-2010-0188 
    Sophos 4.53.0 2010.04.30 Troj/PDFJs-II
    Additional information
    File size: 115796 bytes
    MD5   : 58de08c1155a775b760049dff3f5abe4



    From: smile [mailto:smiles@mail.knu.edu.tw]
    Sent: Monday, April 26, 2010 9:55 PM
    To: XXXXXXXXXXX
    Subject: [研討會]開南大學公共事務管理學系第五屆「全球化與行政治理」國際學術研討會
    Importance: High

    各位學術先進,大家好:
    開南大學公共事務管理學系謹訂於2010年5月7日(星期五),假開南大學顏文隆國際會議中心,舉辦第五屆「全球化與行政治理」國際學術研討會。本研討會報名時間自即日起至99年5月2日止,檢附議程及報名表,請查收!
    您的參與將使本次研討會熠熠生輝,期待 道席參與此一學術盛會,共襄盛舉,不勝感荷。
        順頌

    道安
                                                                                                                                               後學
     許慶復    敬邀
         開南大學公共事務管理學系教授兼主任
    聯絡人:開南大學公共事務管理學系系助理許舒涵
    E-Mail: smile@mail.knu.edu.tw;pm@mail.knu.edu.tw
    TEL :03-3412500(分機3802)


    Approximate translation (machine)
    From: smile [mailto: smiles@mail.knu.edu.tw]Sent: Monday, April 26, 2010 9:55 PMTo: XXXXXXXXXXXSubject: [seminar] Public Affairs Management, Kainan University, the fifth "Globalization and Administrative Governance" International SymposiumImportance: HighMembers of academic art, Hello, everybody:Kainan University, Public Affairs and Management would like to set 2010 5 月 7 日 (Friday), leave open the International Conference Centre, Southern University, Yan Wenlong, held its fifth "Globalization and Administrative Governance" International Conference. The seminar registration time from now until 99 May 2 only, the attached agenda and registration form, please check!Your participation in this seminar will shine, I look forward to participate in this academic Road event, join in. Thank you very much.
            Shun ChungRoad Safety
                                                                                                                                                   After school
         Xu Qing Fu, Michelle
             Kainan University Professor and Director of Public Affairs ManagementContact: Public Affairs Management, Kainan University, Assistant Xu ShuhanE-Mail: smile@mail.knu.edu.tw; pm@mail.knu.edu.twTEL :03-3412500 (ext 3802)
    ==================================================
    http://www.virustotal.com/analisis/2532c39a9227d272050ab3545c18bab989ed3dbf0e7826fa1ac4c06dcb696383-1272466905
    File ATT42909.pdf received on 2010.04.28 15:01:45 (UTC)
    Result: 2/39 (5.13%)
    McAfee     5.400.0.1158     2010.04.28     Exploit-PDF.q.gen!stream
    Sophos     4.53.0     2010.04.28     Troj/PDFJs-GQ
    Additional information
    File size: 129722 bytes
    MD5   : 536c0afe4d655a66dccad4af9679caa9


    ATT42909.pdf  - CVE-2009-4324



     http://www.virustotal.com/analisis/3f01888d51bd67a2501d4d3d1b5ed63cf3d0cea1413d563484f041cd0b3ff295-1272516410
     File ATT85645.pdf received on 2010.04.29 04:46:50 (UTC)
    Result: 6/41 (14.64%)
    Avast    4.8.1351.0    2010.04.28    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.28    PDF:CVE-2010-0188
    ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-22737
    eTrust-Vet    35.2.7456    2010.04.28    PDF/CVE-2010-0188!exploit
    GData    21    2010.04.29    PDF:CVE-2010-0188
    Sophos    4.53.0    2010.04.29    Troj/PDFJs-II
    File size: 115796 bytes
    MD5...: 58de08c1155a775b760049dff3f5abe4

    =================================================
    ATT85645.pdf = CVE-2010-0188

    Headers
    Received: from mail.vac.gov.tw (HELO mail.vac.gov.tw) (210.241.78.245)
      by server-7.tower-37.messagelabs.com with SMTP; 27 Apr 2010 02:23:10 -0000
    Received: from vac (unknown [140.93.105.3])
        by mail.vac.gov.tw (Postfix) with ESMTP id 64ED7D6C431
        for XXXXXXXX ; Tue, 27 Apr 2010 10:22:32 +0800 (CST)
    Message-ID: <1975e5623c$23fce32a$0ae1d8b4@vac212af2ce2>
    From: "smile"


    Hostname: 140.93.105.3
    ISP: Laboratoire d'Automatique et d'Analyse des Systeme 
    Organization: Laboratoire d'Automatique et d'Analyse des Systeme
    Country: France  
    State/Region: Midi-Pyrenees
    City: Toulouse


    It appears that 140.93.105.3  used mail.vac.gov.tw (210.241.78.245)as a relay server
    210.241.78.245
    inetnum: 210.241.0.0 - 210.241.127.255
    netname: GSN
    descr: GSN, Taiwan Government Service Network.
    descr: Data-Bldg.14F, No.21, Sec.21, Hsin-Yi Rd.
    descr: Taipei Taiwan 100
    country: TW
    Incoming mail for mail.vac.gov.tw is handled by two mailservers at gov.tw. They are on different IP networks. mail.vac.gov.tw has one IP number , which also has a corresponding reverse pointer.
    vac.gov.tw and mail.vac.gov.tw use this as a mailserver. vac.gov.tw and x346-3.vac.gov.tw share mailservers with this domain.
    vac.gov.tw is delegated to one nameserver, however one extra nameserver is listed in the zone. The NS sunlx.vac.gvo.tw.vac.gov.tw stated in SOA record is not in the list of nameservers. Incoming mail for vac.gov.tw is handled by twelve mailservers also at gov.tw. Some of them are on the same IP network.
    You might also be interested in mail3.vac.gov.tw, mail4.vac.gov.tw, mail2.vac.gov.tw and mail5.vac.gov.tw.
    mail.vac.gov.tw is hosted on a server in Taiwan.
    It is not listed in any blacklists.

    Posted by Mila at 1:01 AM 0 comments Tags: , , ,

    Thursday, April 29, 2010

    Apr 26 CVE-2010-0188 PDF North Korea Policy Piece from (fake) walterkeats@yahoo.com

    Download  4fcc7b56fdc488a333f3d97ad502eb22 20100426_WLK_Position_Paper.pdf as a password protected archive (please contact me for the password if you need it)


    Details 4fcc7b56fdc488a333f3d97ad502eb22 20100426_WLK_Position_Paper.pdf 


    From: Keats, Walter 
    [mailto:walterkeats@yahoo.com]
    Sent: Monday, April 26, 2010 9:53 AM
    To: XXXXXXXXXXXXXX
    Subject: North Korea Policy Piece

    XXXXX

    I was able to visit the DPRK in February, my 20th trip, demonstrating that Americans can now visit the DPRK year round.  The most significant new thing I did this trip was to visit Sinchon where there was a massacre in the fall of 1950.  Pretty gruesome, but not clear who did what to whom.  I also got to see the Pyongyang Golf Club, although it was snow covered, among other sites in the Pyongyang area.

    At any rate, I have written the attached opinion piece, not for publication or attribution, to see what you and others think about it.  Let me know at your convience.

    Best regards,

    Walter

    Walter L. Keats, CTC, CMP
    President
    Asia Pacific Travel, Ltd.
    P.O. Box 350
    Kenilworth, IL 60043-0350 USA

    Celebrating 30 years of designing memorable custom individual and small group tours to East Asia for discerning clients.

    The only American company directly authorized by North Korea to arrange for tourists from America and other countries to visit the DPRK.

    Header info
    Received: from [204.12.252.250] by web114508.mail.gq1.yahoo.com via HTTP; Mon, 26 Apr 2010 06:53:11 PDT
    X-Mailer: YahooMailClassic/10.1.9 YahooMailWebService/0.8.102.267879
    Date: Mon, 26 Apr 2010 06:53:11 -0700
    From: "Keats, Walter"

         204.12.192.0/18     AS32097
    RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
    WholeSale Internet, Inc. WHOLESALEINTERNET-3 (NET-204-12-192-0-1)
    204.12.192.0 - 204.12.255.255
    Daigou Inc. WII-2197-10075602 (NET-204-12-252-248-1)
    204.12.252.248 - 204.12.252.255

    http://www.virustotal.com/analisis/65e0421cd693359e54b9feab2adef5f5f6dcd3fc5297f313167dea3f44733650-1272515044
    File 20100426_WLK_Position_Paper.pdf received on 2010.04.29 04:24:04 (UTC)
    Result: 6/41 (14.64%)
    Avast    4.8.1351.0    2010.04.28    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.28    PDF:CVE-2010-0188
    ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-22668
    eTrust-Vet    35.2.7456    2010.04.28    PDF/CVE-2010-0188!exploit
    GData    21    2010.04.29    PDF:CVE-2010-0188
    Sophos    4.53.0    2010.04.29    Troj/PDFJs-II
    Additional information
    File size: 44661 bytes
    MD5...: 4fcc7b56fdc488a333f3d97ad502eb22




    Posted by Mila at 12:31 AM 0 comments Tags: , , ,

    Wednesday, April 28, 2010

    Apr 23 CVE-2008-4841 DOC Important Message from indianembassy.org.cn


    Download  03546e59967af0c2dbf609013934cd07 message-cv.doc as a password protected archive (please contact me for the password, if you need it)


    Details 03546e59967af0c2dbf609013934cd07 message-cv.doc


    From: polsec@ [mailto:indianembassy.org.cn polsec@indianembassy.org.cn]
    Sent: Friday, April 23, 2010 4:30 AM
    To: XXXXXXXXXX
    Subject: Important Message

    Dear sir,

       Pls find attached file .

    Regards,

    Satish Kumar
    Second Secretary,
    Embassy of India,
    Beijing


    http://www.virustotal.com/analisis/7a6b78a4662ceca77e76cd7f2bc08f69a588fc7547db60eb77eb4c328a04c0a8-1272378511
    File message-cv.doc received on 2010.04.27 14:28:31 (UTC)
    Result: 13/40 (32.50%)
    a-squared     4.5.0.50     2010.04.27     Exploit.Win32.CVE-2008!IK
    Authentium     5.2.0.5     2010.04.27     MSWord/Dropper.B!Camelot
    BitDefender     7.2     2010.04.27     Exploit.MSOffice.Gen
    F-Prot     4.5.1.85     2010.04.26     CVE-2006-2389
    F-Secure     9.0.15370.0     2010.04.27     Exploit.MSOffice.Gen
    Fortinet     4.0.14.0     2010.04.27     MSWord/Agent.Y!exploit
    GData     21     2010.04.27     Exploit.MSOffice.Gen
    Ikarus     T3.1.1.80.0     2010.04.27     Exploit.Win32.CVE-2008
    Jiangmin     13.0.900     2010.04.27     Exploit.MSWord.b
    McAfee-GW-Edition     6.8.5     2010.04.27     Heuristic.BehavesLike.Exploit.OLE2.CodeExec.EBKP
    Microsoft     1.5703     2010.04.27     Exploit:Win32/CVE-2008-4841
    nProtect     2010-04-27.01     2010.04.27     Exploit.MSOffice.Gen
    Panda     10.0.2.7     2010.04.26     Trj/1Table.C
    Additional information
    File size: 292864 bytes
    MD5   : 03546e59967af0c2dbf609013934cd07

    Headers
    Received: from unknown (HELO mail.niit.com.cn) (202.109.110.87)
      by XXXXXXXXXXXXX  with SMTP; 23 Apr 2010 08:30:17 -0000
    Received: Fri, 23 Apr 2010 16:30:13 +0800
    From: polsec@indianembassy.org.cn       
    Hostname:    202.109.110.8
          ISP:    ChinaNet Shanghai Province Network
          Organization:    Business China Trading Company
          Country:    China
          State/Region:    Shanghai
          City:    Shanghai

    dl-niit.com, niit.com.cn, okshanghai.com, www.niit.com.cn, mail.niit.com.cn and at least three other hosts point to 202.109.110.87. It is blacklisted in four lists.

    dl-niit.com
    indianembassy.org.cn
    mail.indianembassy.org.cn
    mail.niit.com.cn
    niit.com.cn
    okshanghai.com
    www.indianembassy.org.cn
    www.niit.com.cn

    Domains using this as mail server
    indianembassy.org.cn(primary)
    niit.com.cn(primary)


    Posted by Mila at 11:55 PM 0 comments Tags: , ,

    Malware Links April 2010

    Posted by Mila at 10:28 AM 3 comments Tags:

    Sunday, April 25, 2010

    Apr 13 JAVA Malware evading decompilation by Donato "ratsoul" Ferrante - www.InReverse.net Post #5

    The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on April 13, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010 (this is their new blog - replacing www.inreverse.net) .  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #5) but this time together with the malware samples provided by the InReverse crew.   We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.
    Donato "ratsoul" Ferrante can be reached at ratsoul -at- inreverse-net


    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)



    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
           
    ----------------------------------------
    Tuesday, April 13, 2010
    Donato "ratsoul" Ferrante
     JAVA Malware evading decompilation
    Hello,

    some days ago Param (thanks!) one of our blog readers sent me a couple of undetected JAVA malwares, which I'm going to analyze, the md5 are:

    (Sample 1) 2138bfc0c92b726a13ff5095bd2f2b72
    (Sample 2) a0585edf638f5d1c556239d3bfaf08db

    At this time, both of this malware have a low detection, the first one 1/42 and the second one 0/42 from VirusTotal.

    One of the interesting things is that if you try to decompile these samples by using jD you will get the following notice:
    So after a little investigation I figured out the reason. The reason is that jD is unable to handle methods with a large body.

    Is it a problem ? No. To proceed with the analysis we can summon JAD. In fact by using JAD we can obtain the full code. Here are some snippets taken from the two samples.

    (I will go fast on the analysis, at the end of the post you can find a couple of links with more details about these malwares.)

    Sample 1:
    ([CVE-2009-3867])

    Imports reveal a lot of information about what the malware is trying to "use"...

    read more...
    Posted by Mila at 3:53 PM 0 comments Tags: , , ,
    Subscribe to: Posts (Atom)
    Home