0day 27-28May2008 in Flash
I checked exploited flash files and bug exloited (BugTraq ID:29386) will attempt to download real malware to C:\6123t.exe and uses for it urlmon.dll
So Users of GFI WebMonitor 4 should be protected in most cases.
Good info about this vol. is at this blog: http://ddanchev.blogspot.com
on May 29th, 2008 at 5:51 am
cheers … the site is still up =)
flash1.swf: Macromedia Flash data, version 9
flash.swf: Macromedia Flash data, version 9
lz.htm: ASCII text, with CRLF line terminators
real.js: ASCII text, with very long lines, with CRLF line terminators
rl.htm: ASCII text, with CRLF line terminators
xl.htm: ASCII text, with CRLF line terminators
looking at one of the html files … its interesting to see them using variables which are popular names:
AntiVir
Silverlight
ActivePerl
Yorkfield
Samsung
This html file contains exploit code for Xunlei Thunder .. which seems to be .cn specific really.
Looking at the rest ..
flash1.swf gets http://www.lovedai.cn - / - back.css and stores it to C:\6123t.exe
http://www.lovedai.cn/ - seems to be a blog of geeky nature in Chinese. According to google translate, the latest post on this blog is about SQL injection.
http://anubis.iseclab.org/result.php?taskid=32e80ae1e409da641560aad9c37c5cba&refresh=1#id2292370
http://www.virustotal.com/analisis/81a419304ce50732be60e0e99255d765
on May 29th, 2008 at 3:41 pm
BTW that flash file is from today caught by Kaspersky as Trojan-Downloader.SWF.Small.y