A targeted attack has been spotted against RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333). An email containing a Laden's Death.doc file attachment was personally sent to many recipients.
File: Laden's Death.doc
File size: 163065 bytes
Distribution method: email
VirusTotal detection rate: 16 of 41
The vulnerability exploited by this malware was patched last November in MS10-087.
According to VirusTotal 16 of 41 antiviruses recognize this file as a threat (http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304649567).
The email was sent from a Lotus Notes mail server (IP 22.214.171.124) which most likely was compromised.
Tue, 03 May 2011 11:34:06 -0400 (EDT)
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
This is a multi-part message in MIME format.
To whom it may concern.
XXX Signature spoofed XXXXXXXXXXXXXXXXX
When RTF file is opened, the exploit executes the shellcode, then creates and executes a file C:/RECYCLER/server.exe. This file performs following actions:
- Created a file in the system`s temporary folder vmm2.tmp
- Renamed the file vmm2.tmp into dhcpsrv.dll and moves it into c:\windows\system32\
- Modifies the registry to run the hijacked DHCP service.
File information on malicious c:\windows\system32\dhcpsrv.dll
File size: 44504 bytes
Distribution method: dropped by Exploit:W32/Cve-2010-3333.G
VirusTotal detection rate: 13 of 42
After a successful start the Trojan tries to resolve the following domains:
We advise all users to install patches for MS10-087.
Description of vulnerability along with links to patches can be found here: http://www.naked-security.com/nsa/198110.htm