2013年11月4日星期一

Fwd: 请支援民主斗士颜伯钧

 收到病毒邮件一封,邮件源代码保存在 http://file.zuo.la/virusmail/2013NOV/hnlawyeroffice@yeah.net.txt

Virustal分析结果在:

https://www.virustotal.com/zh-cn/file/94dacae29dc11aa1fa30c558d3765c124797a248d14127ad4444bf41d3579342/analysis/1383564350/

 欢迎安全研究者进一步研究,若能贴了邮件行为就更好了。

以下是 http://scan.xecure-lab.com 的分析结果:

民主斗士颜伯钧简历.doc

Date2013-11-04 19:31:13
Type RTF
Size651159
HashMD5 : e2ceabf6cfc8fc1cd4dd3dcdfa0dc200 [VT]
SHA1: d737c16649964c594c4a1fdf20bbb8117401f73c

Information

Malware

The analyzed sample has these behaviors: processes hijacking and code injection, Ability with network behavior, Keylogger
CVECVE-2012-0158MS12-027, The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers 'system state' corruption, as exploited in the wild in April 2012, aka 'MSCOMCTL.OCX RCE Vulnerability.'
Sample Time
Malware File
  • %SystemDrive%\Documents and Settings\All Users\DRM\WLM\TMAS_WLMHook.dll
    MD5 = c6a27ccba8e694e50cd99c72****
  • %USERPROFILE%\Local Settings\Temp\DW20.dll
    MD5 = ed026e47c53c00ad14172087****
  • %SystemDrive%\Documents and Settings\All Users\DRM\WLM\TMAS_WLMMon.exe
    MD5 = 938c1e2b62a70e4ad6992c9e****
Autorun
  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WLM\\
Mutex
  • PSMwexeoqsjrvbbl
  • fzlk
C&C
  • web.bacguarp.com
  • web.zuesinfo.com
Agent Name
    URL String
      PDB String
      • d:\spambuster\src\release\TMAS_WLMMon.pdb

      Malware Behavior Graph



      ---------- 已转发邮件 ----------
      发件人: 律师陈宝成 <hnlawyeroffice@yeah.net>
      日期: 2013年11月4日下午4:23
      主题: 请支援民主斗士颜伯钧
      收件人: 周曙光 <zuola.com@gmail.com>


      颜伯钧先生现因官员财产公示在国内流亡,现在经济窘迫,生活困难,如你方便请帮助他度过难关:
      中国农业银行甘肃省靖远县支行;户名:孙梅;    卡号:6228481226072149867
      欢迎转发并扩散!


      没有评论:

      发表评论

      周曙光的网络日志