Malicious Excel XLS file...
FYI...
- http://www.f-secure.com/weblog/archives/00001649.html
April 7, 2009 @ 11:10 GMT - "We see targeted attacks and espionage with trojans regularily. Here's a typical case. A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apprently to just one person... The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them. These DLL files are backdoors that try to communicate back to the attackers, using these sites:
• feng.pc-officer .com
• ihe1979.3322 .org
Right now, host ihe1979.3322 .org does not resolve at all, and feng.pc-officer .com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks. The domain name pc-officer .com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before. See this ISC blog entry from September 2007*. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer .com, not feng.pc-officer .com. If you haven't read about Ghostnet** yet, now would be a good time..."
* http://isc.sans.org/diary.html?storyid=3400
** http://en.wikipedia.org/wiki/GhostNet
(Screenshot available at the F-secure URL above.)
Update: "... IP 63.64.63.64 is just a placeholder; 216.255.196.154 is the real control server. They only bring it online sporadically, trying to avoid detection.
The IP is located in Spokane, USA:
% whois 216.255.196.154
OrgName: One Eighty Networks
OrgID: OEN-1
Address: 118 N Stevens
City: Spokane
StateProv: WA
PostalCode: 99201
Country: US ..."
