{
	"id": "bf27b2e2-e2c9-4051-bd16-ff600320e23c",
	"created_at": "2026-04-06T00:13:05.572905Z",
	"updated_at": "2026-04-10T03:22:08.816569Z",
	"deleted_at": null,
	"sha1_hash": "8c355b1067cdb2639d2e1311011dc79a95e73236",
	"title": "May 28 CVE-2009-3129 XLS for office 2002-2007 with fud keylogger EIDHR from david@humanright-watch.org",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 466325,
	"plain_text": "May 28 CVE-2009-3129 XLS for office 2002-2007 with fud\r\nkeylogger EIDHR from david@humanright-watch.org\r\nArchived: 2026-04-05 13:46:39 UTC\r\nUpdate: Noticed an ineresting post by Nart Villeneuve (Internet Censorship Explorer) regarding this malware and\r\ndecided to update and resurrect the post \r\n Download  4f681733fd9e473c09f967fa87c9faef  EIDHR.xls and all the files described below as a\r\npassword protected archive (contact me if you need the password)\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 1 of 10\n\nFrom: david@humanright-watch.org [mailto:david@humanright-watch.org] On Behalf Of ??\r\nSent: Friday, May 28, 2010 2:31 AM\r\nTo: XXXXXX\r\nSubject: 關於EIDHR項目\r\n諸位\r\n關於EIDHR歐洲人權項目我詳細咨詢了歐盟的朋友，爲了使申請能順利通過，還須補充一些資料，具體\r\n資料項目和内容概要都附在後面了，祝各位順利。\r\n張英\r\nFrom: SHARPE Simon (RELEX-BEIJING)\r\nSent: Monday, May 24, 2010 6:15 PM\r\nSubject: FW: EIDHR 项目征求书\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 2 of 10\n\n大家好：\r\n \r\n欧盟现在有一个EIDHR的项目征求。项目的目的在于资助推动人权的项目，涵盖的领域很广泛。大家可\r\n以跟其他感兴趣的朋友分享这个信息。\r\n \r\n项目活动的主题\r\n具有以下主题的计划书会受到优先考虑：\r\n1. 思考自由，宗教自由和信仰自由的权利\r\n2. 言论和表达的自由，包括艺术和文化的表达，信息和沟通的权利，包括媒体自由，反对审查和网络自\r\n由\r\n3. 和平集会和结社自由的权利，包括建立和参加工会的权利\r\n4. 在一国境内自由行动的权利，离开任何国家（包括本国）和回到本国的权利\r\n \r\n项目活动\r\n项目活动可以包括从监督，倡导，公开信息，提高意识到能力建设，培训以及与利益攸关者对话等一系\r\n列形式。最终目标都是为了提高所在国的公民社会组织的自主权。\r\n项目的资助总额最低为15万欧元，最高为120万欧元。项目的延续时间应不少于18个月，但不超过3年。\r\n比较重要的是附件中的项目指导，首先需要提交一个简短的项目概念书，申请的最后期限是6月15日。项\r\n目申请时要填写链接中的Annex A,B,C 等表格。\r\n申请有两种方法：\r\n1. 通过PADOR系统注册申请。http://ec.europa.eu/europeaid/onlineservices/pador/index_en.htm\r\n2. 或将申请所需的项目概念书以及表格A,B,C寄往如下地址：\r\n邮寄地址\r\n \r\nEuropean Commission\r\nEuropeAid Co-operation Office\r\n   Unit F4 – Finances, Contracts and Audit for thematic budget lines\r\n   Call for Proposals Sector\r\n   Office: L-41 03/154\r\n   B - 1049 Brussels\r\nBELGIUM\r\n \r\n快递地址\r\n \r\nEuropean Commission   \r\n            EuropeAid Cooperation Office\r\nUnit F4 – Finances, Contracts and Audit for thematic budget lines\r\n   Call for Proposals Sector          \r\n   Office: L-41 03/154\r\n            Central Mail Service     \r\n            Avenue du Bourget 1    \r\n            B-1140 Brussels (Evère)\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 3 of 10\n\nBELGIUM\r\n \r\n关于项目的具体内容在https://webgate.ec.europa.eu/europeaid/onlineservices/index.cfm?\r\ndo=publi.welcome\u0026nbPubliList=15\u0026orderby=upd\u0026orderbyad=Desc\u0026searchtype=RS\u0026aofr=126352\r\n如果需要更多的信息，请随时与我们联系。谢谢！\r\n \r\n欧盟驻华代表团夏明\r\nSee machine translation in the end\r\nHeaders\r\nReceived: (qmail 3230 invoked from network); 28 May 2010 06:31:58 -0000\r\nReceived: from static-ip-251-116-134-202.rev.dyxnet.com (HELO mx02.diaocha8.com) (202.134.116.251)  by\r\nXXXXXXXXXXXXXXXXXXX with SMTP; 28 May 2010 06:31:58 -0000\r\nReceived: from sppfszwr (unknown [180.98.74.10])\r\n    by mx02.diaocha8.com (EMOS V1.5 (Postfix)) with ESMTPA id 37B71109A81\r\n    for\r\nReply-To:\r\nSender: david@humanright-watch.org\r\nMessage-ID:\r\nFrom: =?utf-8?B?5by16Iux?=\r\nTo: XXXXXXXXXXXXXXX\r\nSubject: =?utf-8?B?6Zec5pa8RUlESFLpoIXnm64=?=\r\nDate: Fri, 28 May 2010 14:31:10 +0800\r\nHostname:    180.98.74.10\r\nISP:    CHINANET jiangsu province network\r\nOrganization:    CHINANET jiangsu province network\r\nState/Region:    Jiangsu\r\nCity:    Suzhou\r\n-\r\nFile EIDHR.xls received on 2010.06.02 04:13:50 (UTC)\r\nhttp://www.virustotal.com/analisis/8b8960a855603393190152439c64ac9fd16655b304d472ecb83422900369a266-\r\n1275452030\r\nResult: 17/41 (41.47%)\r\na-squared    5.0.0.26    2010.06.02    Trojan-Dropper.MSExcel.Agent!IK\r\nAntiVir    8.2.1.242    2010.06.01    TR/Drop.MSExcel.Agent.BC\r\nAntiy-AVL    2.0.3.7    2010.06.01    Trojan/MSExcel.Agent\r\nAuthentium    5.2.0.5    2010.06.02    MSExcel/Dropper.B!Camelot\r\nBitDefender    7.2    2010.06.02    Exploit.D-Encrypted.Gen\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 4 of 10\n\nF-Secure    9.0.15370.0    2010.06.02    Exploit.D-Encrypted.Gen\r\nGData    21    2010.06.02    Exploit.D-Encrypted.Gen\r\nIkarus    T3.1.1.84.0    2010.06.02    Trojan-Dropper.MSExcel.Agent\r\nJiangmin    13.0.900    2010.05.31    Heur:Exploit.CVE-2009-3129\r\nKaspersky    7.0.0.125    2010.06.02    Trojan-Dropper.MSExcel.Agent.bc\r\nMcAfee-GW-Edition    2010.1    2010.06.02    Heuristic.BehavesLike.Exploit.X97.CodeExec.EBEB\r\nNorman    6.04.12    2010.06.01    ShellCode.B\r\nnProtect    2010-06-01.02    2010.06.01    Exploit.D-Encrypted.Gen\r\nPCTools    7.0.3.5    2010.06.02    HeurEngine.MaliciousExploit\r\nSymantec    20101.1.0.89    2010.06.02    Bloodhound.Exploit.306\r\nTrendMicro    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV\r\nTrendMicro-HouseCall    9.120.0.1004    2010.06.02    TROJ_MDROPR.MRV\r\nAdditional information\r\nFile size: 64166 bytes\r\nMD5...: 4f681733fd9e473c09f967fa87c9faef\r\nExcel successfully opens, displaying hello, and a Chinese font set as default. The properties show that it was\r\ncreated on a Lenovo (Beijing) Limited laptop.\r\nFiles created\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 5 of 10\n\n1. D52EF63FDC5C5452D9DA23BD6D4BF0F5 %userprofile%\\Local Settings\\Temp\\1001.tmp11kb  0/41\r\nVirustotal\r\n2. D52EF63FDC5C5452D9DA23BD6D4BF0F5 C:\\WINDOWS\\ntshrui.dll  11kb  0/41 Virustotal\r\n3. A363ABE09A44176386C50EE887359270 %userprofile%\\Local Settings\\Temp\\set.xls  17kb  -clean\r\nspreadsheet you see above\r\nUpon reboot, it is copied to system32 as well\r\nFile: ntshrui.dll\r\nMD5:  d52ef63fdc5c5452d9da23bd6d4bf0f5\r\nSize: 10720\r\nHandle,            Owner,                     Object,\r\n0x01710000    1660: explorer.exe    C:\\WINDOWS\\ntshrui.dll\r\n0x76990000    1660: explorer.exe    C:\\WINDOWS\\system32\\ntshrui.dll\r\nVirustotal \r\n File ntshrui.dll received on 2010.06.02 11:01:06 (UTC)\r\nResult: 0/41 (0%)\r\nAdditional information\r\nFile size: 10720 bytes\r\nMD5...: d52ef63fdc5c5452d9da23bd6d4bf0f5\r\nThe file ntshrui.dll is digitally signed - signature is invalid\r\nJinDiQIAO@hotmail.com\r\nCertificate is issued by Root Agency\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 6 of 10\n\nTCP Traffic to   117.85.151.96:3460    360liveupdate.com\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 7 of 10\n\n360liveupdate.com    117.85.151.96\r\n360liveupdate.com  is a domain controlled by two name servers at oray.net.\r\nHaving a total of four IP numbers. All four of them are on different IP networks.\r\nThe name server peanutmail.newpeanut.idc  stated in SOA record is not in the list of name servers.\r\n360liveupdate.com  has one IP number.\r\nctt.hk, 8jy.cn, ghcn.cn, 33cc.cn, jhcp.cn and at least 56 other hosts share name servers with this domain.\r\n360liveupdate.com is hosted on a server in China.\r\nReputation is not yet known.It is not listed in any blacklists.Search for 360liveupdate.com.\r\nhttp://www.robtex.com/dns/360liveupdate.com.html#whois\r\nDomain Name: 360LIVEUPDATE.COM\r\nRegistrar: XIN NET TECHNOLOGY CORPORATION\r\nWhois Server: whois.paycenter.com.cn\r\nReferral URL: http://www.xinnet.com\r\nName Server: NS1.ORAY.NET\r\nName Server: NS2.ORAY.NET\r\nStatus: ok\r\nUpdated Date: 29-jul-2009\r\nCreation Date: 29-jul-2009\r\nExpiration Date: 29-jul-2010\r\n Hostname:    117.85.151.96\r\nISP:    CHINANET jiangsu province network\r\nOrganization:    CHINANET jiangsu province network\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 8 of 10\n\nType:    Broadband\r\nState/Region:    Jiangsu\r\nCity:    Wuxi\r\n==============================================\r\nKeylogging\r\nIn a few minutes after the reboot, we find a file named Explorer in the %systemroot%\r\n Explorer is  a text log of all explorer.exe activities. This is a common type of keylogger, see the picture below\r\nVicheck results\r\nhttps://www.vicheck.ca/malware.php?hash=4f681733fd9e473c09f967fa87c9faef\r\n===============================\r\nFrom: david@humanright-watch.org [mailto: david@humanright-watch.org] On Behalf Of??Sent: Friday, May\r\n28, 2010 2:31 AMTo: XXXXXXSubject: About EIDHR ProjectOf youEIDHR European project on detailed\r\nconsultation with my friends in the EU, in order to apply a smooth, they still need to add some information,\r\nspecific items of information and content outline are attached to the back, and wish you well.Zhang YingFrom:\r\nSHARPE Simon (RELEX-BEIJING)Sent: Monday, May 24, 2010 6:15 PMSubject: FW: EIDHR project request\r\nfor proposalsHello, everybody:\r\n The EU now has a EIDHR projects seek. The purpose of the project is funded projects to promote human rights,\r\ncovering a wide area. We can share with other interested friends to this information.\r\n The theme of project activitiesThe plan has the following themes will be given priority:1. Thinking, freedom of\r\nreligion and belief and freedom2. Freedom of speech and freedom of expression, including arts and cultural\r\nexpression, information and communication rights, including media freedom, freedom against censorship and\r\nnetwork3. Peaceful assembly and freedom of association rights, including the right to establish and join trade\r\nunions4. In a country the right to freedom of movement, to leave any country (including their own) and the right\r\nto return to their\r\n Project activitiesProject activities can range from monitoring, advocacy, public information, raising aware of\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 9 of 10\n\ncapacity building, training, and dialogue with stakeholders and a series of forms. Ultimate goal is to improve the\r\ncountry's civil society organizations autonomy.The minimum total project funding of 15 million euros, up 120\r\nmillion euros. Project duration should be less than 18 months, but not more than 3 years. More important is the\r\nannex of the project steering, first need to submit a brief project concept book, the application deadline is June 15.\r\nProject application to fill out the link in the Annex A, B, C and so on form.There are two ways to apply:1. PADOR\r\nsystem through the application for registration. http://ec.europa.eu/europeaid/onlineservices/pador/index_en.htm2.\r\nOr to apply for the Project Idea and the Form A, B, C Mailing Address:Mailing address\r\n European CommissionEuropeAid Co-operation Office\r\n   Unit F4 - Finances, Contracts and Audit for thematic budget lines\r\n   Call for Proposals Sector\r\n   Office: L-41 03/154\r\n   B - 1049 BrusselsBELGIUM\r\n Express Address\r\n European Commission\r\n            EuropeAid Cooperation OfficeUnit F4 - Finances, Contracts and Audit for thematic budget lines\r\n   Call for Proposals Sector\r\n   Office: L-41 03/154\r\n            Central Mail Service\r\n            Avenue du Bourget 1\r\n            B-1140 Brussels (Evère)BELGIUM\r\n Details on the project in https: / / webgate.ec.europa.eu / europeaid / onlineservices / index.cfm? Do =\r\npubli.welcome \u0026 nbPubliList = 15 \u0026 orderby = upd \u0026 orderbyad = Desc \u0026 searchtype = RS \u0026 aofr = 126352If\r\nyou need more information, please feel free to contact us. Thank you!\r\n EU Delegation Ming Xia\r\nSource: https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nhttps://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html"
	],
	"report_names": [
		"may-28-cve-2009-3129-xls-for-office.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c355b1067cdb2639d2e1311011dc79a95e73236.pdf",
		"text": "https://archive.orkl.eu/8c355b1067cdb2639d2e1311011dc79a95e73236.txt",
		"img": "https://archive.orkl.eu/8c355b1067cdb2639d2e1311011dc79a95e73236.jpg"
	}
}