Exported by: Outlook Export v0.1.5
From: josh brown
E-mail:joshbrown@gmail.com [ 209.85.171.83 - cg-in-f83.google.com ]
Date: 02/02/2009 07:59:23
Subject: funny one
**************************************************************************
Links
**************************************************************************
Link: hxxp://caressedebeaute.org/pic545.zip
Domain: caressedebeaute.org
IP: 38.113.185.27 [ w-27.netfirms.com ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false
**************************************************************************
Text Version
**************************************************************************
pic545.zip <http://caressedebeaute.org/pic545.zip>
**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>pic545.zip <<A HREF="http://caressedebeaute.org/pic545.zip">http://caressedebeaute.org/pic545.zip</A>><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
**************************************************************************
Headers
**************************************************************************
Return-Path: joshbrown@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,joshbrown@gmail.com,[REMOVED],RULES_HIT:152:355:
375:379:541:946:962:967:972:973:983:988:989:1183:1189:1208:1224:1260:1261:1312:1313:1314:1345:1431:1516:
1517:1519:1526:1534:1537:1569:1588:1589:1593:1594:1595:1596:1676:1711:1714:1715:1716:1730:1747:1766:1792:
2393:2525:2560:2563:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3280:3869:3876:3877:
3889:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:5007:6114:7679:7974:8501:8599:9025:9388:9413,0,RBL:
209.171.53.172-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm3.intellimaxx.net [209.171.53.172])
by imf02.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.172])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
charset="UTF-8"
MIME-Version: 1.0
Message-ID: <1191441202.43912@gmail.com>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
To: [REMOVED]
From: "josh brown" <joshbrown@gmail.com>
From: josh brown
E-mail:joshbrown@gmail.com [ 209.85.171.83 - cg-in-f83.google.com ]
Date: 02/02/2009 07:59:23
Subject: funny one
**************************************************************************
Links
**************************************************************************
Link: hxxp://caressedebeaute.org/pic545.zip
Domain: caressedebeaute.org
IP: 38.113.185.27 [ w-27.netfirms.com ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false
**************************************************************************
Text Version
**************************************************************************
pic545.zip <http://caressedebeaute.org/pic545.zip>
**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<P><FONT SIZE=2>pic545.zip <<A HREF="http://caressedebeaute.org/pic545.zip">http://caressedebeaute.org/pic545.zip</A>><BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
**************************************************************************
Headers
**************************************************************************
Return-Path: joshbrown@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,joshbrown@gmail.com,[REMOVED],RULES_HIT:152:355:
375:379:541:946:962:967:972:973:983:988:989:1183:1189:1208:1224:1260:1261:1312:1313:1314:1345:1431:1516:
1517:1519:1526:1534:1537:1569:1588:1589:1593:1594:1595:1596:1676:1711:1714:1715:1716:1730:1747:1766:1792:
2393:2525:2560:2563:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3280:3869:3876:3877:
3889:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:5007:6114:7679:7974:8501:8599:9025:9388:9413,0,RBL:
209.171.53.172-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm3.intellimaxx.net [209.171.53.172])
by imf02.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.172])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
charset="UTF-8"
MIME-Version: 1.0
Message-ID: <1191441202.43912@gmail.com>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
To: [REMOVED]
From: "josh brown" <joshbrown@gmail.com>
The file the e-mail points to (pic545.zip, MD5: DF06802FD10BABFE742B1783B29FB05F) is infected with the HIDDENEXT/Worm.Gen infection, and when extracted, we see it attempting to masquerade as a .pnt file. Alas not surprisingly, it's got a ton of spaces after the .pnt extension, and finishes with a .scr extention.
A quick peek at the file shows it's a VB6 file (MD5: 64FA0169B4C52DA16EDDA9B762389006).
File properties:
- Version: 1.0.0.0
- Copyright: silw3r
- Comments: Pub STB
- Company: eXpert
- Internal Name: stiki
- Original Name: stiki.exe
- Product Name: STB
More interestingly, it contains the following snippet of code;
Notice the chromehtml src? Seems they want to play with Google Chrome exploits too, how nice. 80.32.16.25 resolves to 25.Red-80-32-16.staticIP.rima-tde.net.
References:
Virus Total results for pic545.pnt{MANY_SPACES}.scr
http://www.virustotal.com/analisis/569ec28a9daaf7c49df117d97be3630c
Virus Total results for pic545.zip
http://www.virustotal.com/analisis/b10775c8bdd6fc64ad3d5529e75f5610
No comments:
Post a Comment