"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010. The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0" but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."
Read full analysis and download malware samples from Mila's blog:: http://contagiodump.blogspot.com/2010/02/feb-20-mainland-affairs-council-list-of.html