Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 9 August 2009

Fake Microsoft e-mails: From RapidShare to orlandoula

It would seem, after rapidshare.com took down the malware that the king.cd links in those lovely fake e-mails, the bad guys decided enough was enough, and have now reverted back to using non-file hosting sites to distribute the malware.

Don't fret though, they're still using king.cd, so feel free to blackhole it.

The latest one I've received, which was received a couple mins ago, has the obligatory king.cd URL (king.cd/KuLk), which then leads you to;

hxxp://www.orlandoula.com/MicrosoftFramework.exe

VirusTotal results: http://www.virustotal.com/analisis/4d9412e7ab486f6fa3e64164e65dfa51ebeac1eb083d67c1587db2528befcb3e-1249879734

orlandoula.com currently lives at 67.219.36.164 (AS14242, LogicalSolutions.net). The domain was registered in 2007, so it's likely the site was hacked (though it does beg the question of why it's still got a "website coming shortly" message on it's homepage).

References:

Alert: Malicious Microsoft e-mail using king.cd and RapidShare
http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html

No comments: