Malware Database » E-mail

More mailing list unsubscription phishing websites

mwdisector — Fri, 28 Nov 2008 06:04:18 +0000

STAY AWAY from these because in reality they are being used to collect email addresses likely for future SPAM campaigns. I also suspect these domains are part of a current fake XP activation SPAM campaign.

DOMAINS:
campingchip.com
daily–movie-code.info
daily–movie-code.net
daily–movie-code.org
daily-movie–code.info
daily-movie–code.net
daily-movie-code.info
get–activation-code1.com
movie–code–online.info
movie–online-promo.info
movie-code-online.com
movie-code-online.info
movie-code-online.net
movie-code-online.org
movie-online-promo.info
movie-online-promo.org
net–activation–code1.com
net–activation–code1.net
net–activation-code1.info
net–activation-code1.net
net–activation-code1.org
net–code–activation.com
net–code–activation.info
net–code–activation.net
net–code-activation.com
net–code-activation.info
net–code-activation.net
net–code-activation.org
net–movie–promo.net
net–online–product.info
net–online–product.org
net–online-product.info
net–online-product.org
net–pdf–promo.info
net–pdf–promo.net
net–pdf-promo.com
net–pdf-promo.info
net–pdf-promo.net
net–pdf-promo.org
net-activation–code1.info
net-activation–code1.net
net-activation-code.com
net-activation-code1.info
net-activation-code1.net
net-activation-code1.org
net-online–product.info
net-online–promos.info
net-online-product.info
net-online-product.org
net-pdf–promo.info
net-pdf–promo.net
net-pdf-promo.com
net-pdf-promo.info
net-pdf-promo.net
net-pdf-promo.org
new–movie–code.net
new–product–offer.com
new–product–offers.com
new-movie–code.info
new-movie–code.net
new-movie–code.org
online–activation–code.net
online–activation-code.org
online–movie–promo.info
online–movie-promo.info
online–product-promos.info
online–promo–products.info
online–promo–products.org
online–promo-products.info
online–promo-products.org
online-activation–code.org
online-activation-code.com
online-activation-code.org
online-movie–promo.info
online-movie-promo.info
online-product–promo.net
online-product-promo.com
online-promo–products.info
online-promo-products.info
online-tv–promo.info
pdf–online–promo.org
pdf–online-promo.info
pdf–online-promo.org
pdf–promo-info1.net
pdf-online–promo.info
pdf-online–promo.org
pdf-online-promo.info
pdf-promo–code.org
pdf-promo–info1.net
pdf-promo-info.net
pdf-promo-info1.net
superiway.com
tv-new-promo.info

IPs INVOLVED:
27645 | 66.79.162.82 | ASN-NA-MSG-01 – Managed Solutions Group, Inc.
33314 | 66.79.162.82 | ASN-AKANOC-SJC-01 – AKANOC Solutions Inc.
16131 | 91.199.50.101 | GRAFIX-IS GrafiX Internet B.V.

–mwdisector

Virus Response Lab 2009

stingner — Wed, 08 Oct 2008 13:13:02 +0000

Virus Response Lab 2009 malware sites. File is available in our repository under /stingner-malware/.

BE ADVISED: These sites may still be live. Proceed at your own risk.

Site:

hxxp://virus-labs2009.com/

hxxp://virus-response.com/

hxxp://virusresplab.com/

hxxp://virusresponse2009.com/

File virlab_install.exe
Result: 12/36 (33.34%)

Virustotal

Removal:

Remove this threat with MalwareBytes!

Malware link:

hxxp://virus-labs2009.com/download.php

hxxp://virusresponse2009.com/download.php

hxxp://virus-response.com/download.php

hxxp://virusresplab.com/download.php

Malspam: Notices from IRS (taxform_for_print.scr)

djpnuemo — Mon, 08 Sep 2008 00:12:13 +0000

Here is a piece of malspam we received that poses to be from the IRS telling you that you are due for a refund. The one we got was from taxinform32@taxreducers.com. Simply follow the steps below and the money is yours! (Proceed at your own risk. File available in /pnuemo-malware/.)

Get Your Refund $1927.10 in Just 3 Easy Steps:
1. Print and fill a short tax interview (click to download)
2. Send it online
3. Receive your tax refund

The link included takes you to the following address and file: hxxp://freepromo.cn/documents/taxform_for_print.scr

taxform_for_print.scr
Result: 7/36 (19.45%)
MD5: a705a1df1fc36f696f0eb0fea72870d3
VirusTotal
ThreatExpert Analysis

YouTube Message Malspam

djpnuemo — Thu, 28 Aug 2008 00:17:08 +0000

I received this in my inbox today from YouTube that someone had sent me a message. The URL in the message takes the user through two redirects and then prompts the user to download a file. This files is malware and currently has a low detection rate. Here is the information I’ve gathered. All of the URL’s below are still live so proceed at your own risk.

hxxp://zz.gd/1d7d6a
-> hxxp://sghghdfgh.actionpooses.com/dfhgfhgfh
–> hxxp://actionpooses.com/livenow/live-now.htm
—> hxxp://212.179.35.9/Free-Girls-Cams-Viewer.exe

Free-Girls-Cams-Viewer.exe
Result: 6/36 (16.67%)
MD5: 716adbf47c6fffbd77604be9e9dd7043
VirusTotal
ThreatExpert Analysis

Antivirus 2008 Pro XP

ion — Mon, 25 Aug 2008 08:58:35 +0000

We came across a new domain name registered at estdomains today. This site may appear seamlessly legitimate, as it sports a support page, affiliate page, terms of service, etc. But we can assure you that it is a bad site. Be aware of this site and do not download any of the files associated with it! Site: hxxp://antivirus2008proxp.com

What it looks like:

Removal:

Remove this threat with MalwareBytes!

Britney Spears MalSpam points to mov.exe

lithium — Wed, 20 Aug 2008 00:52:44 +0000

We saw a new MalSpam today. Unfortunately, it shows a very nasty picture of Britney Spears getting out of Paris Hilton’s car. It fowards us to hxxp://www.lenapiel.com/mov.exe, which does not appear to be up at the time of our post.

Warning: The BSD daemon may not appear in the malspam you receive. You have been forewarned.

Malspam: Carrington Mortgage Services LLC owes you money!

djpnuemo — Wed, 06 Aug 2008 01:04:36 +0000

There are some malspam messages that are being sent out to users with an infected attachment. This malware may not be disinfected by your anti-malware product because it is compressed in a protected archive although the contents of the email will provide the user with the password. The malspam contains the following message:

This email is for informational purposes only. Do not reply to the email address above.

A payment to Carrington Mortgage Services LLC in the amount of $8773.85 has been made from your Checking account

For further information about this transaction, please download attached invoice file (Password for ZIP archive: “invoice” )

If you did not authorize this payment to be made, please contact your financial institution or card issuer immediately for further instructions.

FKNC Privacy Statement: The information contained in this electronic mail transmission is intended by Fort Knox National Company for the use of the named individual or entity to which it is originally directed and may contain information that is privileged or otherwise confidential. It is not intended for transmission to, or receipt by anyone other than the named addressee (or a person authorized to deliver it to the named addressee). It should not be copied or forwarded to any unauthorized persons. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by calling Fort Knox National Company at 866-220-7121. Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be unlawful.

The file enclosed in the archive is IN87129_717a.exe. Below are the results from Virustotal along with the sandbox results.

Virustotal: 15/36
Additional information (JoeBox)

File size: 58368 bytes
MD5…: eead764389f7e2b1939d147b198443a3
SHA1..: 94332eb2ead4bc9464ae1108ea2ab2b3c60d824b
SHA256: 74492a5d2e571ff6eae2f3ed913f372ab9620778c4ad522895d3aa805d1688f7
SHA512: 92ef95984fdd1db26f526c17ce897e2898858ca8410f3c0a39636ebdf0b852c6
35a2122adb4809d23363956008fae04f1071f94d7ad1afcae2834a48615a8262
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×40107d
timedatestamp…..: 0×4806e3fb (Thu Apr 17 05:45:31 2008)
machinetype…….: 0×14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0×1010 0×1200 2.80 2b47bcb94b4842dbad7d705a4edde293
.data 0×3000 0×22b9b 0xc800 7.60 ded2450cbafedda4dfe1d972a0e701f2
.reloc 0×26000 0×1000 0×0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0×27000 0×1000 0×600 4.66 0552eaf398afb9100b608d74807bcad7

( 1 imports )
> gdi32.dll: GetClipBox, GetBitmapBits, CreateDIBSection, SetTextColor, GetPixel, CreateDIBitmap, GetBrushOrgEx, CreateBitmap, CreateFontIndirectA, ExcludeClipRect

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=eead764389f7e2b1939d147b198443a3

Malspam spreading name.avi.exe through celebrity “pornography”

djpnuemo — Wed, 06 Aug 2008 01:04:22 +0000

Lots and lots of malspam these days. Here is a fresh round of malspam we’ve collected in the last few hours. These are attempting to get the user to download name.avi.exe (information below).

Here are some of the intriguing subjects and bodies of this campaign.

Subject
Your order
Your order is executed

Body
Nude Celebrities (Jennifer Lopez)- huge archive of Naked Celebs. Free pics & videos.
Angelina Jolie N@ked – Extremly Video!
All your favorite celebrities caught naked !
BRITNEY NUDE VIDEO. 00:58
T!t$ Photo and Video Angel!na Jolie
JENNIFER LOPEZ EXTREMLY NAKED!!!
Angelina Jolie Videos, Pics, Celebrity $ex Tapes.
Cameron Diaz Nude – Free Video – See Now!!
Free Nude Celebrity – all your favorite celebrities caught naked !!
Nicole Kidman N@ked – Video, Pictures

Virustotal: 12/36
Additional information (JoeBox)

File size: 138752 bytes
MD5…: 88be4cf23bf477d1d32f558e22607ed3
SHA1..: 7e9ffece41fc0e8ae1f866fb763b0983b60e70df
SHA256: c657532cc59ede8d92dc47d185407b5e7e1d72e5216396d8456aeb1f7f9aa34a
SHA512: 2139d6ad9f6950ba66e1a3d7975e992c07dc40bd30a350a94e8d21b73068f5a3
fbaed6dbce03366c8e2a499e460e445cfaa4ece463f2b24d43a715652ac2bb9c
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0×402f77
timedatestamp…..: 0×4897342d (Mon Aug 04 16:54:05 2008)
machinetype…….: 0×14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.code 0×1000 0×3388c 0×4a00 3.91 a52a8eadd95c07842ce55336e14b6226
DATA 0×35000 0×1b380 0×1ac00 8.00 92acecf8c3c1dd2466e423fe3eab02ea
.rsrc 0×51000 0×1000 0×400 6.85 e9f67bb8713e98caf74e01bf392003c8

( 0 imports )

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8185F2D7003567E21EC702A9BAA2DB00E60C9AE5
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=88be4cf23bf477d1d32f558e22607ed3

New site distributing Antivirus2009 Rogue

lithium — Thu, 31 Jul 2008 10:25:17 +0000

We found a new site distributing the Antivirus 2009 rogue software today.

**Proceed at your own risk**

Site: hxxp://antivirus-2009pro.com

File: hxxp://antivirus-2009pro.com/2009/download/77001106/AV2009Install.exe

Results for antivirus-2009pro.com:

Domain Name: ANTIVIRUS-2009PRO.COM

Creation Date: 30-Jul-2008
Expiration Date: 30-Jul-2009

Domain servers in listed order:
ns4.mynick.name
ns3.mynick.name
ns2.mynick.name
ns1.mynick.name

Registrant:
PrivacyProtect.org
Domain Admin        (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Malspam Campaign Still Going Strong

djpnuemo — Tue, 29 Jul 2008 17:36:22 +0000

The spamming campaign that has hit us full force is pushing the file get_flash_update.exe. Most AV’s at this point have detected this file so hopefully it shouldn’t cause much havoc. I wanted to post the emails we’ve received and the domains that are hosting this malware.

VirusTotal shows 31/35 detection and you can click the link for more details. Of course this file is available in our repository in pnuemo-malware/Classified/Trj-Exchanger.S.zip.

Warning: These sites are still live as of 7/29 10:22a PST. Proceed at your own risk!

hxxp://ankaraspor.com.tr/default.html
hxxp://cit-inc.net/default.html
hxxp://grupoestudio.com/default.html
hxxp://www.dianagraf.es/default.html
hxxp://venhuis.de/default.html
hxxp://grupoestudio.com/default.html
hxxp://ebberov.homepage.dk/default.html
hxxp://madosma.com/default.html
hxxp://warinsa.com/default.html
hxxp://www.czareksu.pl/default.html
hxxp://heimerpara.de/default.html

Read more for the email subjects and bodies we’ve received.
Subject: Steve Jobs admits recurrence of pancreatic cancer
Body: Invest and get 100% returns

Subject: So you think you can dance
Body: Boy eats cats daily

Subject: Explosion rock Israel, Gulf war imminent
Body: Bear attack kills 3 in Atlanta zoo

Subject: Top tips for an accessible home
Body: Bear attack kills 3 in Atlanta zoo

Subject: Arnold Schwarzenegger quits as Governer
Body: Girl bites brother’s finger off

Subject: You are living in the worst city
Body: citibank files for bankruptcy protection

Subject: Girl kicks brother to death
Body: Win a free trip to Vegas

Subject: Sex change operation went wrong
Body: Obama denies wrongdoing in Presidential debate

Subject: Swedish princess slaps town florist
Body: Suicide blasts in Iraq kill hundreds

Subject: Win a free trip to Vegas
Body: Italy charges Google for espionage

Subject: Kidnapper at large in NY, dangerous
Body: Afghan rebels kill 102 US soldiers

Subject: Afghan rebels kill 102 US soldiers
Body: Man kills wife in accidental gas explosion

Subject: Shark attack off Australia, 2 dead
Body: Swedish princess slaps town florist

Subject: Fire threatens Hollywood
Body: Bullies face huge health risk

Subject: Girl gang rapes fellow male classmate
Body: Unknown person stabs Christian Bale

Subject: Google charged by European Union for espionage
Body: Incredible college parties

Subject: Killer dogs tear intruder apart
Body: Shia LaBeouf refused bail after arrest

Subject: Girl bites brother’s finger off
Body: Incredible college parties