Honeypot reported a suspicious email:
Return-Path: <apache@94.229.165.236.srvlist.ukfast.net> Received: from 94.229.165.236.srvlist.ukfast.net (94.229.165.236.srvlist.ukfast.net [94.229.165.236]) Received: from 94.229.165.236.srvlist.ukfast.net (unknown [127.0.0.1]) by 94.229.165.236.srvlist.ukfast.net Received: by 94.229.165.236.srvlist.ukfast.net (Postfix, from userid 48) Subject: Nova cotacao... Date: Tue, 26 Apr 2011 07:14:29 +0100 (BST) |
This is the malicious URL contained in the message:
gwayprototype. com/support/img/thumb2.php?#documento_relatorio |
HTTP/1.1 302 Object Moved Location: http://www.abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr Server: Microsoft-IIS/4.0 Content-Type: text/html Connection: close Content-Length: 174 |
It redirects to download the infected file:
abeonas. net/abnor/,,/001/PLANILHA-DOCUMENTO.scr |
Report 2011-04-25 23:05:38 (GMT 1)
File Name planilha-documento-scr
File Size 157184 bytes
File Type Executable File (EXE)
MD5 Hash 3e66cfb35fee0edeb86da90b0ef780d2
SHA1 Hash 18fdccc4927ad848e74ac742270a1673bf74c7bc
Detections: 5 / 10 (50 %)
Status INFECTEDAVG 25/04/2011 10.0.0.1190 Downloader.Rozena
Comodo 25/04/2011 4.0 TrojWare.Win32.Troja..
Emsisoft 25/04/2011 5.1.0.2 Trojan-PWS.Win32.QQR..
F-Prot 25/04/2011 6.3.3.4884 W32/SuspPack.R.gen!E..
Ikarus 25/04/2011 T31001097 Trojan-PWS.Win32.QQR..
Image of file:
URLVoid domain analysis:
http://www.urlvoid.com/scan/abeonas.net
http://www.urlvoid.com/scan/gwayprototype.com