> -----Original Message-----
> From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx]
> Sent: Saturday, April 22, 2006 12:11 PM
> To: phishing@xxxxxxxxxxxxxxxxx;
> binaryanalysis@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: PowerPoint Phishing Trojan
>
> Hi all,
>
> Just an FYI, there is a neat little PowerPoint Trojan that we received
> from a helpful source yesterday. It appears to be exploiting
> this vuln:
>
> http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
>
> I extracted the PE file(s) out of the ppt and got only 3
> recognizing the
> file as malicious:
>
> I have the binary to available AV vendors by request.
>
> I found the blind drop and have recovered all the stolen files.
>
> Thanks.
>
> Antivirus Version Update Result
> AntiVir 6.34.0.24 04.20.2006 no virus found
> Avast 4.6.695.0 04.21.2006 no virus found
> AVG 386 04.21.2006 no virus found
> Avira 6.34.0.56 04.21.2006 no virus found
> BitDefender 7.2 04.22.2006 Trojan.PPT.A
> CAT-QuickHeal 8.00 04.21.2006 no virus found
> ClamAV devel-20060202 04.22.2006 no virus found
> DrWeb 4.33 04.21.2006 BACKDOOR.Trojan
> eTrust-InoculateIT 23.71.136 04.22.2006 no virus found
> eTrust-Vet 12.4.2171 04.21.2006 no virus found
> Ewido 3.5 04.21.2006 no virus found
> Fortinet 2.71.0.0 04.22.2006 suspicious
> F-Prot 3.16c 04.21.2006 no virus found
> Ikarus 0.2.59.0 04.21.2006 no virus found
> Kaspersky 4.0.2.24 04.22.2006 no virus found
> McAfee 4746 04.21.2006 no virus found
> NOD32v2 1.1501 04.21.2006 probably unknown
> NewHeur_PE virus
> Norman 5.90.16 04.21.2006 W32/Malware
> Panda 9.0.0.4 04.21.2006 Suspicious file
> Sophos 4.04.0 04.21.2006 no virus found
> Symantec 8.0 04.22.2006 no virus found
> TheHacker 5.9.7.132 04.21.2006 no virus found
> UNA 1.83 04.21.2006 no virus found
> VBA32 3.10.5 04.19.2006 no virus found
>
> Aditional Information
> File size: 144514 bytes
> MD5: d8ec5f57861104fba4ee2e3f12cfa5a8
> SHA1: 94d2202fb50df5a8e00f5da50b8e0783ec144465
> Norman SandBox:
> [ General information ]
> * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@xxxxxxxxx -
> REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
> * File might be compressed.
> * Decompressing ASPack.
> * File length: 144514 bytes.
>
> [ Changes to filesystem ]
> * Creates file C:WINDOWSSYSTEM32wbemwmiadapt.exe.
> * Creates file C:WINDOWSSYSTEM32systhin.dll.
>
> [ Process/window information ]
> * Modifies other process memory.
> * Creates a remote thread.
>
>
>
>
>