About contagio exchange

CONTAGIO EXCHANGE Contagio exchange was created to absorb malware samples shared by readers of Contagio. This is meant to be a community driven malware collection.
Edit Aug 2013 - The community is busy and Mila too so this was not a very active site (my fault probably) so I will be just dumping malware strings here - it often helps in malware identification and googling is the best way.
With just strings, not exactly a fun blog to read but might become s useful resource over time.
I will not be posting samples here, just md5. You can find the corresponding samples on contagio or ping me if you can't find
M
P.S. Robot pictures delivered by Robohash.com (generated from file hashes)

Thursday, May 3, 2012

019 APT Speech.doc MacOS_X/MS09-027.A Word exploit for MS Word

Someone uploaded. Thank you for sharing.
Document language code is Arabic, which is kind of interesting.

Research: Microsoft An interesting case of Mac OSX malware


 Download (pass infected)

File: speech.doc
Size: 158854
MD5:  F4CBFE4F2DDF3F599984CF6D01C1B781


The text of the decoy (clean doc) message
Your  Excellency
The United Nations Commission for Human Rights
The United Nations Commission for Human Rights Office
Geneva, Switzerland.
Dated: 9th March 2012.
Your Excellency,
The Tibetans throughout the Globe will co-mmemorate the 53rd Anniversary of the Tibetan National Uprising Day in Lhasa, Tibet in 1959, against the Peoples Republic of China.  During these 53 long years of struggle, thousands of innocent Tibetans were tortured, imprisoned  and killed by the Chinese government,without a fair trial.  Tibet
s rich resources are plundered and the environment destroyed with deforestation, elimination of its rare species of wildife and diverting and damming of Tibet
s holy rivers which are source of lifeline for many Asian countries.
Since 2008, massive crackdowns and indoctrination of Tibetan monks and nuns were imposed by the Chinese Government.  Due to heavy handedness of the Chinese authorities, and the unbearable condition of the Tibetans under their most repressive rule, the Tibetans from all parts of Tibet, especiall y Ngaba and Karzi regions unitedly protested, demanding  the return of Tibet
s spiritual leader H.Holiness the Dalai Lama and freedom for Tibet.   Instead of addressing the problems being faced by the Tibetans under the Chinese repressive rule in Tibet, the Chinese authorities sought to use  forceful methods by firing on unarmed Tibetan protestors, beating and injuring them.  Since 16th March 2011, over 24 Tibetan
s have self-immolated, calling for return of Tibet
s spiritual leader H.Holiness the Dalai Lama and freedom for Tibet.  In short, Tibet is cut off from outside world, with ban on the entry of foreign media personnel and tourists.
We therefore, appeal to your Excellency and the representatives of the United Nations member countries to take immediate action on the following demands:-
 1)   Insist the Peoples Republic of China to immediately call back all Chinese Security personnel  from Ngaba and Karzi regions of Tibet.
           
2)  All the monks and nuns must be allowed to return unconditionally to their respective    monasteries
3)    Insist the Chinese authorities to release all the political prisoners,  especially  the young Panchen Lama, Gedun  Choekyi  Nyima and Tulku Tenzin Delek 
 4) Allow foreign diplomats and independent media unfettered access to all the Tibetan areas for observation
Stop all forms of percecution in Tibet and adhere to Global Human Rights norms.
Your Excellency, we Tibetans inside Tibet and in other parts of the world, appeal and look forward eagerly to genuine political support from the United Nations like any other weaker nations who are facing  tremendous aggression from more powerful nations in the world.
As you are aware, we Tibetans, under the leadership of His Holiness the Dalai Lama, the non-violent and compassionate leader who follows non-violent even to last resort, continue to follow His steps to gain Freedom for the Tibetans.
Thanking you,
With due respect and hope,
TENZIN WANGMO                                                            PHURBU LHAMO
      President                                                                            President
RTWA   Bylakuppe, Karnataka State                             RTWA Kollegal, Karnataka State      
xicp.net

Shanghai Best Oray Information S&T Co., Ltd.
Shanghai Best Oray Information S&T Co., Ltd. (yezi@oray.com )
1st Floor of No. 15 Jian Gong Road Tianhe District
guangzhou
,510665
China
Tel. +86.2061073384
Fax. +86.20


Virustotal
SHA256:     6a70e797617bb8958bfbe94a42374447e3859c6b4ef1e108d43a30b5db74480b
SHA1:     445959611bc2480357057664bb597c803a349386
MD5:     f4cbfe4f2ddf3f599984cf6d01c1b781
File size:     155.1 KB ( 158854 bytes )
File name:     speech.doc
File type:     MS Word Document
Detection ratio:     27 / 42
Analysis date:     2012-05-04 02:00:26 UTC ( 48 minutes ago )
AhnLab-V3     Dropper/Ms09-027     20120503
AntiVir     EXP/CVE-2009-0563.A     20120504
Antiy-AVL     Exploit/MSWord.CVE-2009-0563     20120504
Avast     MacOS:DocDrop-A [Expl]     20120504
BitDefender     Exploit.CVE-2009-0563.Gen     20120504
ClamAV     OSX.Word.Malware     20120504
Comodo     UnclassifiedMalware     20120503
DrWeb     Exploit.MS09-027.1     20120504
Emsisoft     Exploit.MS04.CVE-2004-0210-2009-0563.A!IK     20120504
eTrust-Vet     OSX/MS09-027!exploit     20120503
F-Secure     Exploit:OSX/MS09027.A     20120504
Fortinet     W97M/CVE_2009_0563.A!exploit     20120504
GData     Exploit.CVE-2009-0563.Gen     20120504
Ikarus     Exploit.MS04.CVE-2004-0210-2009-0563.A     20120504
Kaspersky     Exploit.MSWord.CVE-2009-0563.a     20120504
McAfee     Exploit-MSWord.m     20120503
McAfee-GW-Edition     Heuristic.BehavesLike.Exploit.W97.CodeExec.O     20120503
Microsoft     Exploit:MacOS_X/MS09-027.A     20120503
NOD32     OSX/Exploit.MSWord.CVE-2009-0563.A     20120504
nProtect     Exploit.CVE-2009-0563.Gen     20120503
PCTools     Trojan.Mdropper     20120504
Sophos     Troj/DocOSXDr-A     20120504
SUPERAntiSpyware     -     20120411
Symantec     Trojan.Mdropper     20120504
TrendMicro     TROJ_MDROPR.LB     20120503
TrendMicro-HouseCall     -     20120504
VIPRE     Trojan.Msword.Mdropper.a (v)     20120503
VirusBuster     Exploit.CVE-2009-0563.Gen     20120503


You have not signed in. Only registered users can leave comments, sign in and have a voice!
Sign in Join the community
No votes
More votes
An error occurred
ssdeep
1536:KgyNLrsGpdccCBOdK4TaC5V7dMorYjTBGI:ONPsGpe4TaCf7c
TrID
Microsoft Word document (80.0%)
Generic OLE2 / Multistream Compound File (20.0%)
ExifTool

SharedDoc................: No
Author...................: captain
HyperlinksChanged........: No
LinksUpToDate............: No
LastModifiedBy...........: captain
HeadingPairs.............: Title, 1
Template.................: Normal.dotm
CharCountWithSpaces......: 0
CreateDate...............: 2010:08:22 10:37:00
CompObjUserType..........: Microsoft Office Word 97-2003 Document
ModifyDate...............: 2010:08:22 10:37:00
TitleOfParts.............:
Company..................:
Characters...............: 0
ScaleCrop................: No
CodePage.................: Windows Arabic
RevisionNumber...........: 2
MIMEType.................: application/msword
Words....................: 0
FileType.................: DOC
Lines....................: 1
AppVersion...............: 12.0
Security.................: None
Software.................: Microsoft Office Word
TotalEditTime............: 0
Pages....................: 1
CompObjUserTypeLen.......: 39
Paragraphs...............: 1


   1. speech.doc
   2. 1.do
   3. 1.doc
   4. file-3831515_
   5. 6a70e797617bb8958bfbe94a42374447e3859c6b4ef1e108d43a30b5db74