Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 24 January 2009

Update: r00t-y0u email switches to attachment

Whether or not this is the same miscreant as last time remains to be seen (though the file has the same properties), but it seems whichever it is, they've switched to a more direct route of infection (see left).

I am curious, with the amount of forum databases they've stolen from each other, why they're picking on r00t-y0u?

Exported by: Outlook Export v0.1.4

From: admin
E-mail:admin@swisskit.com [ 64.202.189.170 - pwfwd-v01.prod.mesa1.secureserver.net ]
Date: 24/01/2009 18:26:16
Subject: last versio update
**************************************************************************
Links
**************************************************************************

Link: hxxp://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ sm1.intellimaxx.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: hxxp://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&
Domain: sm1.intellimaxx.net
IP: 209.171.53.170 [ sm1.intellimaxx.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&& <IMG SRC="http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&" WIDTH="1" HEIGHT="1" BORDER="0" />

last vresion update.

password: qpwoeiruty



admin@swisskit.com.

**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2><A HREF="http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?type=click&mailingid=12131232&messageid=0000&databaseid=1234&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&</A>  <IMG SRC="<A HREF="http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&">http://sm1.intellimaxx.net:80/track?mailingid=12131232&messageid=0000&databaseid=1234&type=open&serial=1222716135&emailid=[REMOVED]&userid=43912&extra=&&&</A>" WIDTH="1" HEIGHT="1" BORDER="0" /><BR>
<BR>
last vresion update.<BR>
<BR>
password: qpwoeiruty<BR>
<BR>
<BR>
<BR>
admin@swisskit.com.</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: admin@swisskit.com
Delivered-To: [REMOVED]
X-FDA: 61836659262
X-SpamScore: 5
X-Spam-Summary: 10,1,0,493736707aa6fca6,21232f297a57a5a7,admin@swisskit.com,[REMOVED],
RULES_HIT:152:355:379:495:509:541:800:871:967:973:978:980:988:989:996:1000:1183:1260:1261:
1308:1309:1311:1313:1314:1345:1432:1515:1516:1518:1519:1529:1538:1569:1575:1594:1595:1676:
1696:1711:1714:1730:1747:1764:1766:1792:2198:2199:2393:2525:2561:2564:2682:2685:2857:2859:
2895:2933:2937:2939:2942:2945:2947:2951:2954:3022:3038:3151:3872:3876:3877:3934:3936:3938:
3941:3944:3947:3950:3953:3956:3959:4321:4648:5007:6114:6506:7281:7679:8501:9025:9391,0,RBL
:209.171.53.170-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:
none,DomainCache:0,MSF:not bulk,SPF:,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm1.intellimaxx.net [209.171.53.170])
by imf27.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Sat, 24 Jan 2009 19:42:04 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.170])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.1.1(4.1.1-44827)); Sat, 24 Jan 2009 13:26:17 -0500
X-VirtualServer: Default, sm1.intellimaxx.net, 0.0.0.0
X-VirtualServerGroup: Default
X-MailingID: 1222716135::12131232::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.1.1(4.1.1-44827)
X-Destination-ID: [REMOVED]
X-SMFBL: cjAwdC15MHVfb3JnQGl0LW1hdGUuY28udWs=
Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_B0F2_327B23C6.643C9869"
MIME-Version: 1.0
Message-ID: <1222716135.43912@swisskit.com>
Subject: last versio update
Date: Sat, 24 Jan 2009 13:26:16 -0500
To: [REMOVED]
From: "admin" <admin@swisskit.com>




setup.exe
http://www.virustotal.com/analisis/30db38531435dfef018ce2b13afb6f9a

setup.rar
http://www.virustotal.com/reanalisis.html?b4e8ed0d8f237f57bc7bb5b8a657d281

... and yep, detection is still rubbish.

/edit

Forgot to add the files new MD5: AFF965C7FEBD4CF6B110F0C824D471A9

No comments: