Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 2 February 2009 - Someone's still holding a grudge

... either that or they really really dislike your members. Fret not however, the idiot(s) doing this are obviously amateurs (or of course, are of the impression that your members will open anything sent to them) as we've thus far seen the e-mail pointing to a link, then of course, coming with an attachment. This time, they've opted for a mixture of the two - a linky (, hosted by Netfirms) pointing directly to the malicious file.

Exported by: Outlook Export v0.1.5

From: josh brown [ - ]
Date: 02/02/2009 07:59:23
Subject: funny one

Link: hxxp://
IP: [ ]
hpHosts Status: Listed
MDL Status: Not Listed
PhishTank Status: false

Text Version
************************************************************************** <>

HTML Version
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<!-- Converted from text/plain format -->

<P><FONT SIZE=2> <<A HREF=""></A>><BR>


Delivered-To: [REMOVED]
X-FDA: 61867751400
X-Panda: scanned!
X-SpamScore: 5
X-Spam-Summary: 73,5,0,d41a7607dfd749a7,e7e6e4fffc7a31a5,,[REMOVED],RULES_HIT:152:355:
0,MSF:not bulk,SPF:fu,MSBL:none,DNSBL:none
Received: from ( [])
by (Postfix) with ESMTP
for <[REMOVED]>; Mon, 2 Feb 2009 09:20:19 +0000 (UTC)
Received: from ([])
by (StrongMail Enterprise 4.1.0(4.1.0-41174)); Mon, 02 Feb 2009 02:59:24 -0500
X-VirtualServerGroup: Default
X-MailingID: 1191441202::89328493::1234::0000::43912::43912
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.0(4.1.0-41174)
X-Destination-ID: [REMOVED]
Content-Disposition: inline
Content-Type: text/html;
MIME-Version: 1.0
Message-ID: <>
Subject: funny one
Date: Mon, 02 Feb 2009 02:59:23 -0500
From: "josh brown" <>

The file the e-mail points to (, MD5: DF06802FD10BABFE742B1783B29FB05F) is infected with the HIDDENEXT/Worm.Gen infection, and when extracted, we see it attempting to masquerade as a .pnt file. Alas not surprisingly, it's got a ton of spaces after the .pnt extension, and finishes with a .scr extention.

A quick peek at the file shows it's a VB6 file (MD5: 64FA0169B4C52DA16EDDA9B762389006).

File properties:
  1. Version:
  2. Copyright: silw3r
  3. Comments: Pub STB
  4. Company: eXpert
  5. Internal Name: stiki
  6. Original Name: stiki.exe
  7. Product Name: STB

More interestingly, it contains the following snippet of code;

Notice the chromehtml src? Seems they want to play with Google Chrome exploits too, how nice. resolves to


Virus Total results for pic545.pnt{MANY_SPACES}.scr

Virus Total results for

No comments: