Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 4 August 2009

YAB (Yet Another Botnet) Microsoft exploit e-mails

We've got more of these fake Microsoft e-mails doing the rounds folks, and as with the Alliance and Leicester scams, these are all hosted on residential machines by the looks of it.

Unlike the Alliance and Leicester ones however, these have a nasty surprise waiting for you.

Should you realize your mistake before infecting yourself with the download they're offering, they've been kind enough to try and ensure you get *something*, which in this case, comes from, and thankfully at the time of writing this, the exploit part of this, isn't working.

The URL that should be giving you the exploit, is currently serving a MySQL error message;

Can't connect to MySQL server on '' (4) is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at

inetnum: -
netname: EASTNET-UA-NET-2
descr: Rise-v Ltd
country: UA
org: ORG-RL28-RIPE
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-NETART
mnt-routes: MNT-NETART
mnt-domains: MNT-NETART
source: RIPE # Filtered

organisation: ORG-RL28-RIPE
org-name: Rise-v, Ltd.
org-type: OTHER
descr: Rise-v, Ltd.
address: Traktorostroiteley str. 158, apt. 43
address: 61129, Kharkov, Ukraine
phone: +38 057 7616277
phone: +38 067 5791028
admin-c: LV1630-RIPE
tech-c: LV1630-RIPE
mnt-ref: EASTNET-MNT
source: RIPE # Filtered

person: Valera Lelin
address: 61129, Ukraine, Kharkov, Traktorostroiteley 158 str, apt. 43
phone: +380577507505
phone: +380639797654
remarks: ICQ: 4333444
remarks: agaaga
nic-hdl: LV1630-RIPE
source: RIPE # Filtered

:: Information related to ''

descr: DENTAGLOBAL route
origin: AS49536
mnt-by: DENTA-MNT
source: RIPE # Filtered

URL's I've seen thus far;

Not all of these are still resolving.

Jaxryley over at Malwarebytes has saved me some time, by providing the VT results;

With the Threat Expert results available at;

For clarity, one of the e-mails I received, is shown below.

/edit 05-08-09 04:41


No comments: