Archive for the 'E-mail' Category

27
Nov

More mailing list unsubscription phishing websites

By mwdisector Comments
Categories: E-mail and Phishing

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns.  I also suspect these domains are part of a current fake XP activation SPAM campaign.

DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info

IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 – Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 – AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.

–mwdisector

08
Oct

Virus Response Lab 2009

By stingner Comments
Categories: E-mail and Rogue Security Software

Virus Response Lab 2009 malware sites. File is available in our repository under /stingner-malware/.

BE ADVISED: These sites may still be live. Proceed at your own risk.

Site:

hxxp://virus-labs2009.com/

hxxp://virus-response.com/

hxxp://virusresplab.com/

hxxp://virusresponse2009.com/

File virlab_install.exe
Result: 12/36 (33.34%)

Virustotal

Removal:

Remove this threat with MalwareBytes!

Malware link:

hxxp://virus-labs2009.com/download.php

hxxp://virusresponse2009.com/download.php

hxxp://virus-response.com/download.php

hxxp://virusresplab.com/download.php

07
Sep

Malspam: Notices from IRS (taxform_for_print.scr)

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links, Malware, Malware Distribution and Social Engineering

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

27
Aug

YouTube Message Malspam

By djpnuemo Comments
Categories: E-mail, MalSpam, Malicious Links and Malware

I received this in my inbox today from YouTube that someone had sent me a message. The URL in the message takes the user through two redirects and then prompts the user to download a file. This files is malware and currently has a low detection rate. Here is the information I’ve gathered. All of the URL’s below are still live so proceed at your own risk.

sshot

hxxp://zz.gd/1d7d6a
-> hxxp://sghghdfgh.actionpooses.com/dfhgfhgfh
–> hxxp://actionpooses.com/livenow/live-now.htm
—> hxxp://212.179.35.9/Free-Girls-Cams-Viewer.exe

Free-Girls-Cams-Viewer.exe
Result: 6/36 (16.67%)
MD5: 716adbf47c6fffbd77604be9e9dd7043
VirusTotal
ThreatExpert Analysis

25
Aug

Antivirus 2008 Pro XP

By ion Comments
Categories: E-mail, Malicious Domains, Rogue Security Software, Rogue Software and Social Engineering

We came across a new domain name registered at estdomains today. This site may appear seamlessly legitimate, as it sports a support page, affiliate page, terms of service, etc. But we can assure you that it is a bad site. Be aware of this site and do not download any of the files associated with it! Site: hxxp://antivirus2008proxp.com

What it looks like:

Antivirus 2008 Pro XP

Removal:

Remove this threat with MalwareBytes!

19
Aug

Britney Spears MalSpam points to mov.exe

By lithium Comments
Categories: E-mail, MalSpam, Malicious Links and Malware

We saw a new MalSpam today. Unfortunately, it shows a very nasty picture of Britney Spears getting out of Paris Hilton’s car. It fowards us to hxxp://www.lenapiel.com/mov.exe, which does not appear to be up at the time of our post.

Warning: The BSD daemon may not appear in the malspam you receive. You have been forewarned.

MalSpam

05
Aug

Malspam: Carrington Mortgage Services LLC owes you money!

By djpnuemo Comment
Categories: E-mail, MalSpam and Malware

There are some malspam messages that are being sent out to users with an infected attachment. This malware may not be disinfected by your anti-malware product because it is compressed in a protected archive although the contents of the email will provide the user with the password. The malspam contains the following message:

This email is for informational purposes only. Do not reply to the email address above.

A payment to Carrington Mortgage Services LLC in the amount of $8773.85 has been made from your Checking account

For further information about this transaction, please download attached invoice file (Password for ZIP archive: “invoice” )

If you did not authorize this payment to be made, please contact your financial institution or card issuer immediately for further instructions.

FKNC Privacy Statement: The information contained in this electronic mail transmission is intended by Fort Knox National Company for the use of the named individual or entity to which it is originally directed and may contain information that is privileged or otherwise confidential. It is not intended for transmission to, or receipt by anyone other than the named addressee (or a person authorized to deliver it to the named addressee). It should not be copied or forwarded to any unauthorized persons. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by calling Fort Knox National Company at 866-220-7121. Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be unlawful.

The file enclosed in the archive is IN87129_717a.exe. Below are the results from Virustotal along with the sandbox results.

Virustotal: 15/36
Additional information (JoeBox)

File size: 58368 bytes
MD5…: eead764389f7e2b1939d147b198443a3
SHA1..: 94332eb2ead4bc9464ae1108ea2ab2b3c60d824b
SHA256: 74492a5d2e571ff6eae2f3ed913f372ab9620778c4ad522895d3aa805d1688f7
SHA512: 92ef95984fdd1db26f526c17ce897e2898858ca8410f3c0a39636ebdf0b852c6
35a2122adb4809d23363956008fae04f1071f94d7ad1afcae2834a48615a8262
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40107d
timedatestamp…..: 0×4806e3fb (Thu Apr 17 05:45:31 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1010 0×1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0×3000 0×22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0×26000 0×1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×27000 0×1000 0×600 4.66 0552eaf398afb9100b608d74807bcad7

( 1 imports )
> gdi32.dll: GetClipBox, GetBitmapBits, CreateDIBSection, SetTextColor, GetPixel, CreateDIBitmap, GetBrushOrgEx, CreateBitmap, CreateFontIndirectA, ExcludeClipRect

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eead764389f7e2b1939d147b198443a3

05
Aug

Malspam spreading name.avi.exe through celebrity “pornography”

By djpnuemo Comments
Categories: E-mail, MalSpam and Malware

Lots and lots of malspam these days. Here is a fresh round of malspam we’ve collected in the last few hours. These are attempting to get the user to download name.avi.exe (information below).

Here are some of the intriguing subjects and bodies of this campaign.

Subject
Your order
Your order is executed

Body
Nude Celebrities (Jennifer Lopez)- huge archive of Naked Celebs. Free pics & videos.
Angelina Jolie N@ked – Extremly Video!
All your favorite celebrities caught naked !
BRITNEY NUDE VIDEO. 00:58
T!t$ Photo and Video Angel!na Jolie
JENNIFER LOPEZ EXTREMLY NAKED!!!
Angelina Jolie Videos, Pics, Celebrity $ex Tapes.
Cameron Diaz Nude – Free Video – See Now!!
Free Nude Celebrity – all your favorite celebrities caught naked !!
Nicole Kidman N@ked – Video, Pictures

Virustotal: 12/36
Additional information (JoeBox)

File size: 138752 bytes
MD5…: 88be4cf23bf477d1d32f558e22607ed3
SHA1..: 7e9ffece41fc0e8ae1f866fb763b0983b60e70df
SHA256: c657532cc59ede8d92dc47d185407b5e7e1d72e5216396d8456aeb1f7f9aa34a
SHA512: 2139d6ad9f6950ba66e1a3d7975e992c07dc40bd30a350a94e8d21b73068f5a3
fbaed6dbce03366c8e2a499e460e445cfaa4ece463f2b24d43a715652ac2bb9c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×402f77
timedatestamp…..: 0×4897342d (Mon Aug 04 16:54:05 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0×1000 0×3388c 0×4a00 3.91 a52a8eadd95c07842ce55336e14b6226
DATA 0×35000 0×1b380 0×1ac00 8.00 92acecf8c3c1dd2466e423fe3eab02ea
.rsrc 0×51000 0×1000 0×400 6.85 e9f67bb8713e98caf74e01bf392003c8

( 0 imports )

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8185F2D7003567E21EC702A9BAA2DB00E60C9AE5
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=88be4cf23bf477d1d32f558e22607ed3

« Previous Entries


 

March 2010
M T W T F S S
« Jul    
1234567
891011121314
15161718192021
22232425262728
293031