hpHosts Blog: r00t-y0u.org - Someone's still holding a grudge

Monday, 2 February 2009

r00t-y0u.org - Someone's still holding a grudge

... either that or they really really dislike your members. Fret not however, the idiot(s) doing this are obviously amateurs (or of course, are of the impression that your members will open anything sent to them) as we've thus far seen the e-mail pointing to a link, then of course, coming with an attachment. This time, they've opted for a mixture of the two - a linky (caressedebeaute.org, hosted by Netfirms) pointing directly to the malicious file.

Exported by: Outlook Export v0.1.5

From: josh brown
E-mail:joshbrown@gmail.com [ 209.85.171.83 - cg-in-f83.google.com ]
Date: 02/02/2009 07:59:23
Subject: funny one
**************************************************************************
Links
**************************************************************************

Link: hxxp://caressedebeaute.org/pic545.zip
Domain: caressedebeaute.org
IP: 38.113.185.27 [ w-27.netfirms.com ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false

**************************************************************************
Text Version
**************************************************************************

pic545.zip <http://caressedebeaute.org/pic545.zip>

**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>

 

pic545.zip <<A HREF="http://caressedebeaute.org/pic545.zip">http://caressedebeaute.org/pic545.zip</A>> 
 



</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: joshbrown@gmail.com
Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,joshbrown@gmail.com,[REMOVED],RULES_HIT:152:355:
375:379:541:946:962:967:972:973:983:988:989:1183:1189:1208:1224:1260:1261:1312:1313:1314:1345:1431:1516:
1517:1519:1526:1534:1537:1569:1588:1589:1593:1594:1595:1596:1676:1711:1714:1715:1716:1730:1747:1766:1792:
2393:2525:2560:2563:2682:2685:2857:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3280:3869:3876:3877:
3889:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:5007:6114:7679:7974:8501:8599:9025:9388:9413,0,RBL:
209.171.53.172-lbl7.mailshell.net-127.0.0.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from sm1.intellimaxx.net (sm3.intellimaxx.net [209.171.53.172])
by imf02.hostedemail.com (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from sm1.intellimaxx.net ([10.4.0.172])
by sm1.intellimaxx.net (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
X-SMFBL: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
charset="UTF-8"
MIME-Version: 1.0
Message-ID: <1191441202.43912@gmail.com>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
To: [REMOVED]
From: "josh brown" <joshbrown@gmail.com>

The file the e-mail points to (pic545.zip, MD5: DF06802FD10BABFE742B1783B29FB05F) is infected with the HIDDENEXT/Worm.Gen infection, and when extracted, we see it attempting to masquerade as a .pnt file. Alas not surprisingly, it's got a ton of spaces after the .pnt extension, and finishes with a .scr extention.