Comments on: 0day 27-28May2008 in Flash http://geekbazaar.org/2008/05/28/0day-27-28may2008-in-flash/ our few seconds of fame Tue, 02 Dec 2008 00:31:15 +0000 http://wordpress.org/?v=2.6.3 By: Spacer http://geekbazaar.org/2008/05/28/0day-27-28may2008-in-flash/#comment-6121 Spacer Thu, 29 May 2008 13:41:15 +0000 http://geekbazaar.org/?p=872#comment-6121 BTW that flash file is from today caught by Kaspersky as Trojan-Downloader.SWF.Small.y BTW that flash file is from today caught by Kaspersky as Trojan-Downloader.SWF.Small.y

]]> By: sandro http://geekbazaar.org/2008/05/28/0day-27-28may2008-in-flash/#comment-6116 sandro Thu, 29 May 2008 03:51:04 +0000 http://geekbazaar.org/?p=872#comment-6116 cheers ... the site is still up =) flash1.swf: Macromedia Flash data, version 9 flash.swf: Macromedia Flash data, version 9 lz.htm: ASCII text, with CRLF line terminators real.js: ASCII text, with very long lines, with CRLF line terminators rl.htm: ASCII text, with CRLF line terminators xl.htm: ASCII text, with CRLF line terminators looking at one of the html files ... its interesting to see them using variables which are popular names: AntiVir Silverlight ActivePerl Yorkfield Samsung This html file contains exploit code for Xunlei Thunder .. which seems to be .cn specific really. Looking at the rest .. flash1.swf gets http://www.lovedai.cn - / - back.css and stores it to C:\6123t.exe http://www.lovedai.cn/ - seems to be a blog of geeky nature in Chinese. According to google translate, the latest post on this blog is about SQL injection. http://anubis.iseclab.org/result.php?taskid=32e80ae1e409da641560aad9c37c5cba&refresh=1#id2292370 http://www.virustotal.com/analisis/81a419304ce50732be60e0e99255d765 cheers … the site is still up =)

flash1.swf: Macromedia Flash data, version 9
flash.swf: Macromedia Flash data, version 9
lz.htm: ASCII text, with CRLF line terminators
real.js: ASCII text, with very long lines, with CRLF line terminators
rl.htm: ASCII text, with CRLF line terminators
xl.htm: ASCII text, with CRLF line terminators

looking at one of the html files … its interesting to see them using variables which are popular names:
AntiVir
Silverlight
ActivePerl
Yorkfield
Samsung

This html file contains exploit code for Xunlei Thunder .. which seems to be .cn specific really.

Looking at the rest ..
flash1.swf gets http://www.lovedai.cn - / - back.css and stores it to C:\6123t.exe

http://www.lovedai.cn/ - seems to be a blog of geeky nature in Chinese. According to google translate, the latest post on this blog is about SQL injection.

http://anubis.iseclab.org/result.php?taskid=32e80ae1e409da641560aad9c37c5cba&refresh=1#id2292370
http://www.virustotal.com/analisis/81a419304ce50732be60e0e99255d765

]]>