Phishing attack against eBay users:
Return-Path: <aw-confirm@mail.aby.fr>
Received: from mail.ktmtalk.com (mail.ktmtalk.com [173.74.246.25])
Received: from User [98.175.62.124] by mail.ktmtalk.com with ESMTP
Reply-To: <aw-confirm@mail.aby.fr>
From: "eBay Member jxavier14"<aw-confirm@mail.aby.fr>
Subject: New Unpaid Item Message from jxavier14: #14027471062 -- response required
Date: Sat, 6 Aug 2011 06:34:47 -0500
To: undisclosed-recipients:;
Email message:
Dear member,
eBay member charly1 has left you a message regarding item #14020078062
View the dispute thread to respond.
The malicious URL points to:
hxxp:// newcastlelimo .net/ebay-fr/eBayISAPI.dll.htm
Image of the phishing page:
Note that the connection is NOT secure and does not use SSL (HTTPS)…
URLVoid Analysis:
http://www.urlvoid.com/scan/newcastlelimo.net
This entry was posted in Phishing and tagged ebay phishing , phishing , scam , spam on August 6, 2011 by admin .
Another email that is used to spread a fake PayPal message containing a malicious link used for phishing attack against PayPal users:
Return-Path: <services@security.com>
Received: from mailrtr4.deltacom.net (mailvip.deltacom.net [72.243.252.244])
Received: from User ([66.0.110.18]) by mailrtr4.deltacom.net (MOS 4.1.10-GA)
From: "PayPal"<services@security.com>
Subject: Centre de securite PayPal
Date: Sat, 6 Aug 2011 00:11:18 -0500
To: undisclosed-recipients:;
Malicious URL:
hxxp://www. mulforddance. com/login/paypal.fr/online-security/submit-loging/paypal.fr/frfr/
URLVoid Analysis:
http://www.urlvoid.com/scan/mulforddance.com
Users have reported us another website infected by an hidden iframe:
hxxp://www.minecraftforum.net/
All web pages are affected!
Here is an image of the hidden iframe at the bottom of the HTML pages:
When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:
C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe
Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN
Thanks to NoVirusThanks EXE Radar Pro , I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.
Some ASCII strings extracted from the PE file:
Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet
URLVoid domain analysis:
http://www.urlvoid.com/scan/minecraftforum.net
16:38PM UPDATE:
The website looks like to be in maintenance now, so probably it will be fixed soon.
These URLs are malicious or related to malware :
hxxp://caperiod.com/pxxko/ndrei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/wjwjwaobfs.php?adv=adv401&id=1626783411&c=203332757
hxxp://getpersgd09.com/persgd09/setup.php?track_id=30046
hxxp://gopersgd09.com/install/?track_id=30046
hxxp://carefinder.com.au/inf.php
hxxp://scr4zy.webcindario.com/2/infects.php
hxxp://elmejorbonche.com/dns
hxxp://photopath.in/8797hkj9jk9j778kj9h78k9jh.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://www.easyenco.co.kr/module/program/media_codec.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=media_codec.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=media_codec.exe
hxxp://c0re.su/panel/config.bin
hxxp://ck4.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://201.25.28.9/mail/images/info.php
hxxp://startfaredata.in/o54p6ipo546ipo6.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eH
hxxp://tecnp.h19.ru/in.php
hxxp://www.cplnn.com/bbcount.php?action=knock&build=sp1
hxxp://www.cplnn.com/wad/init3.php?build=
hxxp://mmm-2011.co.uk/setup2683.exe
hxxp://mmm-2011.co.uk/ka.exe
hxxp://cekcuc.ru/z/kilka.bin
hxxp://up1.free-sms.co.kr/main/free07/smsupsetting.dat
hxxp://up1.free-sms.co.kr/main/free07/smsins.exe
hxxp://up1.free-sms.co.kr/main/free07/smsdat.dat
hxxp://up1.free-sms.co.kr/upapp/free07/eventex.exe
hxxp://free-sms.co.kr/app_count/install_count.php?&pid=free07&mac=%MAC%
hxxp://up1.free-sms.co.kr/main/free07/free-sms.exe
hxxp://up1.free-sms.co.kr/main/free07/uninst.exe
hxxp://up1.free-sms.co.kr/main/free07/free-sms.ico
hxxp://up1.free-sms.co.kr/main/free07/smsupv.exe
hxxp://ppppnipponp.r7m.us/cgi-bin/p.cgi
hxxp://flashpile.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHy
hxxp://neframeofwork.com/gud/hig.op
hxxp://ad.ring3.info/Config.asp
hxxp://ad.ring3.info/Count/Count.asp
hxxp://www.bbsv.nl/files/cache/.../contador.php
hxxp://firstresour.web135.discountasp.net/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=fbgen&v=1
hxxp://shellybeachskiboatclub.co.za/.sys.php?action=aolsbm&v=1&hardid=%HDID%&id=0
hxxp://blognote.by/f/fn.txt
hxxp://www.caesar.sk/downloads/getc/getc.php
hxxp://114.200.199.251/apsuy.php
hxxp://iring4u.co.kr/bcklist.php
hxxp://ad79.co.kr/prex/newb/apsuo.exe
hxxp://114.200.199.251/b5ains.php?mac=%MAC%&ip=%LANIP%&pid=&setup=1
hxxp://114.200.199.251/b5aliveins.php?mac=%MAC%&ip=%LANIP%&pid=&app=
hxxp://caperiod.com/pxxko/iwwnnrvi.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/klppp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/sftkxkb.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/cpptuxlpc.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/oyppct.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/obcptx.php?adv=adv401&id=1626783411&c=203332757
hxxp://gamafotolembranca.com.br/masters/byte.gif
hxxp://gamafotolembranca.com.br/masters/mega.gif
hxxp://gamafotolembranca.com.br/masters/tera.gif
hxxp://www.basedeclientes.com.br/versao_px.txt
hxxp://myck.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://celinhaz.sites.uol.com.br/autor2.jpg
hxxp://www.avisosbaladabelemhh.com.br/files/j1/inf/arq.php
hxxp://caperiod.com/pxxko/xxobo.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/pcppgk.php?adv=adv401&id=1626783411&c=203332757
hxxp://webmail.imicro.com.br/SQL/cashkey.gif
hxxp://searcham.org/404.php?type=stats&affid=527&subid=02&iruns
hxxp://w.nucleardiscover.com:888/list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B&v=2&t=0,5870172
hxxp://ru.coolnuff.com:2011/myck.jpg?t=0,1209528
hxxp://w.nucleardiscover.com:888/sn.php?c=C1DF13F78111F6528E63540E077DCF0C0&t=0,8235895
hxxp://w.nucleardiscover.com:888/sn.php?c=4D535BBF44D4BC186F82F8A2A1DB468528B&t=0,2664606
hxxp://58.150.174.222/baz001.jpg?t=0,4474756
hxxp://w.nucleardiscover.com:888/sn.php?c=B9A76E8AC252E133E3FEAAF11C54E417E770B&t=0,1963922
hxxp://w.nucleardiscover.com:888/sn.php?c=9D83997D1A8A28FA809D6239A9E1FF0CAB3C0&t=0,1260797
hxxp://searchattention.org/404.php?type=stats&affid=531&subid=01&iruns
hxxp://www.easyenco.co.kr/module/program/nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count.asp?exec=nvsvc32.exe
hxxp://www.easyenco.co.kr/module/count_live.asp?exec=nvsvc32.exe
hxxp://caperiod.com/pxxko/jjnaeei.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gqquulypp.php?adv=adv401&id=1626783411&c=203332757
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JNN0&code2=5103
hxxp://www.ilonexs.de/envio/gds32.dll
hxxp://www.familiennavigator.de/components/com_kunena/template/igt.php
hxxp://qd6170.91mt.com/asp/xg.asp
hxxp://qd6170.91mt.com/exe/key2/key_0605.exe
hxxp://key.91mt.com/newkey.php
hxxp://rh508.91mt.com/tj.asp?id=1
hxxp://ups.1gb.ru/services6.exe
hxxp://ekobit.com.pl/cls/Output.exe
hxxp://xn.bisque110.com/yt.php
hxxp://xn.bisque110.com/lf
hxxp://122.770304123.cn/1.gif
hxxp://122.770304123.cn/ue000/38sw.e?uid=162678341112952317322438
hxxp://110.770304123.cn/1.gif
hxxp://110.770304123.cn/player/blog.updata?v=1.1.8.1&r1=0009a83babc21d46591d009e616da91a&tm=2011-06-12%2003:55:28&os=Windows%20XP.2600%20with%20Service%20Pack%202&uid=002678341112952317328300&cht=0
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=GO00&code2=0200&id=102678
hxxp://coursu.com/admin22/server[php]/config.bin
hxxp://ad79.co.kr/fie/sningal.exe
hxxp://114.200.199.251/fie/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/fie/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://iring4u.co.kr/favorbutton.php
hxxp://face-herault.org/images/ads/info.php
hxxp://lkrgn.ivepointedya.com/webyx/settings.cfg?build=501&os=XP
hxxp://network.emloud.com/webyx/iLog.php?dl=5.0&log=Loader%205.0%20~%20Ran
hxxp://consolewaspogad.com/czl/zlo.cl
hxxp://icvaircl.cn/dll/44.dll
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=2
hxxp://icvaircl.cn/update.db
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=4
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=9
hxxp://icvaircl.cn/stat.php?w=44&i=a7157a4db6097a4d51eacb5987fd206c&a=11
hxxp://xylahavowi.com/1023000112
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOM0&code2=4203
hxxp://jennifermusic.nl/logo2.jpg
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=JOP0&code2=7203
hxxp://fastsearchportal.org/cfg/miniav.psd
hxxp://fastsearchportal.org/cfg/stopav.psd
hxxp://fastsearchportal.org/cfg/passw.psd
hxxp://fastsearchportal.org/pyvcu.php3
hxxp://fastsearchportal.org/ungtsmsuopstfsjjxaqhpksdi.phtml
hxxp://fastsearchportal.org/mccmkbawzojuijhsyttn.inc
hxxp://fastsearchportal.org/onqyofrbc.phtm
hxxp://myavava.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrOeDmJ4Q6O41eHyF2e
hxxp://clashjamwallop.in/90ds8c9ds8c9d0s8cds.php?ini=v22MnDTkT9enCDVl61YdHLJrO
hxxp://adordota.com/bandwidth.bin
hxxp://einemenge.info/webpanel/alive.php?key=grills22&pcuser=%PCUSER%&pcname=%PCNAME%&hwid=%HWID%&country=Italy
hxxp://caperiod.com/pxxko/gggklycc.php?adv=adv401&code1=KOR0&code2=9204
hxxp://JOSEMORAISTA.net/Machine.jpg
hxxp://JOSEMORAISTA.net/andeikyu.jpg
hxxp://mariadacoceicaopraxedes.net/GetString.aspx
hxxp://mariadacoceicaopraxedes.net/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612045029
hxxp://mariadacoceicaopraxedes.net/COMCTL32.OCA.zip
hxxp://s350098374.onlinehome.us/mys.ini
hxxp://rmhpzusmfhtpnt.biz/news/?s=167674
hxxp://axvkxnuutylqdtu.com/news/?s=90742
hxxp://outoszjfvqtyonk.net/news/?s=24872
hxxp://114.200.199.251/vanir.php
hxxp://114.200.199.251/b7ins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&setup=1
hxxp://114.200.199.251/b7liveins.php?mac=%MAC%&ip=%LANIP%&pid=vanir&app=
hxxp://privatesystem-softshieldprotect.com/favicon.ico?0=78&1=4&2=2&3=80&4=i-s
hxxp://212.150.164.204/flash/flashplayer.jpg
hxxp://www.increasingly.kr/Module/gomserv.exe
hxxp://www.increasingly.kr/Module/count.html?exec=gomserv.exe&instFile=gomserv.exe
hxxp://www.increasingly.kr/Module/count_live.html?exec=gomserv.exe
hxxp://windoslive.hotmail.ru/090043043543034877799.exe
hxxp://searchbehind.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://mygateforex.co.za/.sys.php?action=fbgen&v=1
hxxp://richardwiggers.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=fbgen&v=1
hxxp://www.obi-labs.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=0
hxxp://rvl.it/.sys.php?action=fbgen&v=1
hxxp://www.irishpub.fo/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=fbgen&v=1
hxxp://lets-exoticpets.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=1
hxxp://slcsc.co.uk/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=fbgen&v=1
hxxp://voodoobarbcue.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=2
hxxp://robertjakobsen.com/.sys.php?action=fbgen&v=1
hxxp://crosslinkhk.com/.sys.php?action=fbgen&v=1
hxxp://skybluephoto.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=fbgen&v=1
hxxp://3mates.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=3
hxxp://www.crabapplesound.com/.sys.php?action=fbgen&v=1
hxxp://www.crabapplesound.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=4
hxxp://kidnet.co.il/.sys.php?action=fbgen&v=1
hxxp://gulko.co.za/.sys.php?action=fbgen&v=1
hxxp://shieldteens.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=5
hxxp://pflco.com/.sys.php?action=fbgen&v=1
hxxp://pflco.com/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=6
hxxp://my-mobility.co.za/.sys.php?action=fbgen&v=1
hxxp://wcw.co.za/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=7
hxxp://emergencyshelter.us/.sys.php?action=fbgen&v=1
hxxp://emergencyshelter.us/.sys.php?action=tumgen&mode=gen&v=1&hardid=%HDID%&email=&cnt=8
hxxp://www.aandedoorns.co.za/.sys.php?action=fbgen&v=1
hxxp://ad79.co.kr/prex/taurus/taurus.exe
hxxp://ad79.co.kr/dico/sDico.exe
hxxp://ad79.co.kr/prex/taurus/staurus.exe
hxxp://114.200.199.251/version2.php
hxxp://114.200.199.251/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=taurus&install=1
hxxp://iring4u.co.kr/dico/dico.php
hxxp://iring4u.co.kr/dico/statins.php?mac=%MAC%&compare=%MAC%&ip=%LANIP%&pid=&install=1
hxxp://114.200.199.251/liveins.php?mac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://iring4u.co.kr/dico/liveins.php?mac=%MAC%&ip=%LANIP%&pid=
hxxp://pc-guarrantor-utility.com/favicon.ico?0=80&1660=0&2=1&3000=82&4000=i-s
hxxp://key.91mt.com/diykey.php
hxxp://limpidoscomercio.com.br/GetString.aspx
hxxp://limpidoscomercio.com.br/Query.aspx
hxxp://98.158.182.229/~milhomem/ver.txt?20110612141104
hxxp://limpidoscomercio.com.br/COMCTL32.OCA.zip
hxxp://limpidoscomercio.com.br/COMCTL32.OCX.zip
hxxp://petchaburi.kr/kwd/hkwd.php
hxxp://petchaburi.kr/kwd/dkwd.php
hxxp://petchaburi.kr/check/check.php?m=b
hxxp://64.31.58.237/brn.txt
hxxp://64.31.58.237/brn.php
hxxp://key.91mt.com/list/getpmnum.asp?id=f9435d25636a746f
hxxp://key.91mt.com/list/getpmnum2.asp?id=f9435d25636a746f
hxxp://114.200.199.251/ngliveins.php?pmac=0&lmac=%MAC%&ip=%LANIP%&pid=taurus
hxxp://www.hyap98.com/123/mh.txt
hxxp://www.hyap98.com/123/rx.txt
hxxp://www.hyap98.com/123/wc.txt
hxxp://www.hyap98.com/123/wm.txt
hxxp://www.hyap98.com/123/wow.txt
hxxp://w.nucleardiscover.com:888/sn.php?c=DCC228CCD04021858368C8936B1023D74A8&t=9,005374E-02
hxxp://w.nucleardiscover.com:888/sn.php?c=18064AAE3FAF34908C67CC976A11E317&t=0,3627588
hxxp://searcham.org/404.php?type=stats&affid=531&subid=03&iruns
hxxp://s350098374.onlinehome.us/update.php
hxxp://key.91mt.com/list/getpmnum.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum2.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/clickpm.asp?id=e69ec59abbe3c794
hxxp://key.91mt.com/list/getpmnum.asp?id=fa67a8111002230d
hxxp://key.91mt.com/list/getpmnum2.asp?id=fa67a8111002230d
hxxp://98.158.182.229/~milhomem/ver.txt?20110612154053
hxxp://ck3.nucleardiscover.com:88/p6.asp?MAC=%MAC%&Publicer=100
hxxp://w.nucleardiscover.com:888/sn.php?c=948A7D999D0D9733C5285903F882FB388219AB9DA&t=0,894787
hxxp://w.nucleardiscover.com:888/sn.php?c=E1FF76924BDB00A47B96A8F2F18B995A4AD1A593F&t=0,5531122
hxxp://58.150.174.222/baz001.jpg?t=0,8852045
hxxp://131207db062d.dynazzy.net/get2.php?c=TCBIJIJK&d=26606B67393437333F2F676268307D3F22202323
hxxp://w.nucleardiscover.com:888/sn.php?c=4E5018FC71E12DFFD2CFCA91DB93&t=0,2665522
hxxp://w.nucleardiscover.com:888/sn.php?c=1F01DE3AC95905D70C11B&t=0,5650751
hxxp://ru.coolnuff.com:2011/ck3.jpg?t=0,4463007
hxxp://w.nucleardiscover.com:888/sn.php?c=3B25E90DC1513CEEB45CC6EB96EEC230&t=0,7814447
hxxp://w.nucleardiscover.com:888/sn.php?c=918FA94D78E873A13CD4E5C8502&t=0,8195307
hxxp://ru.coolnuff.com:2011/ck4.jpg?t=0,3862421
hxxp://w.nucleardiscover.com:888/sn.php?c=F8E65FBB45D53793A54EFCA7C5BEEB&t=0,3606684
hxxp://xylahavowi.com/1023000112
hxxp://tekefihamib.com/10230001124255461742
hxxp://tekefihamib.com/buy.html
URLVoid domain analysis:
http://www.urlvoid.com/scan/caperiod.com
http://www.urlvoid.com/scan/getpersgd09.com
http://www.urlvoid.com/scan/gopersgd09.com
http://www.urlvoid.com/scan/carefinder.com.au
http://www.urlvoid.com/scan/scr4zy.webcindario.com
http://www.urlvoid.com/scan/elmejorbonche.com
http://www.urlvoid.com/scan/photopath.in
http://www.urlvoid.com/scan/easyenco.co.kr
http://www.urlvoid.com/scan/c0re.su
http://www.urlvoid.com/scan/ck4.nucleardiscover.com
http://www.urlvoid.com/scan/201.25.28.9
http://www.urlvoid.com/scan/startfaredata.in
http://www.urlvoid.com/scan/tecnp.h19.ru
http://www.urlvoid.com/scan/cplnn.com
http://www.urlvoid.com/scan/mmm-2011.co.uk
http://www.urlvoid.com/scan/cekcuc.ru
http://www.urlvoid.com/scan/up1.free-sms.co.kr
http://www.urlvoid.com/scan/free-sms.co.kr
http://www.urlvoid.com/scan/ppppnipponp.r7m.us
http://www.urlvoid.com/scan/flashpile.in
http://www.urlvoid.com/scan/neframeofwork.com
http://www.urlvoid.com/scan/ad.ring3.info
http://www.urlvoid.com/scan/bbsv.nl
http://www.urlvoid.com/scan/firstresour.web135.discountasp.net
http://www.urlvoid.com/scan/shellybeachskiboatclub.co.za
http://www.urlvoid.com/scan/blognote.by
http://www.urlvoid.com/scan/caesar.sk
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/iring4u.co.kr
http://www.urlvoid.com/scan/ad79.co.kr
http://www.urlvoid.com/scan/gamafotolembranca.com.br
http://www.urlvoid.com/scan/basedeclientes.com.br
http://www.urlvoid.com/scan/myck.nucleardiscover.com
http://www.urlvoid.com/scan/celinhaz.sites.uol.com.br
http://www.urlvoid.com/scan/avisosbaladabelemhh.com.br
http://www.urlvoid.com/scan/webmail.imicro.com.br
http://www.urlvoid.com/scan/searcham.org
http://www.urlvoid.com/scan/w.nucleardiscover.com
http://www.urlvoid.com/scan/ru.coolnuff.com
http://www.ipvoid.com/scan/58.150.174.222
http://www.urlvoid.com/scan/searchattention.org
http://www.urlvoid.com/scan/ilonexs.de
http://www.urlvoid.com/scan/familiennavigator.de
http://www.urlvoid.com/scan/qd6170.91mt.com
http://www.urlvoid.com/scan/key.91mt.com
http://www.urlvoid.com/scan/rh508.91mt.com
http://www.urlvoid.com/scan/ups.1gb.ru
http://www.urlvoid.com/scan/ekobit.com.pl
http://www.urlvoid.com/scan/xn.bisque110.com
http://www.urlvoid.com/scan/122.770304123.cn
http://www.urlvoid.com/scan/110.770304123.cn
http://www.urlvoid.com/scan/coursu.com
http://www.urlvoid.com/scan/face-herault.org
http://www.urlvoid.com/scan/lkrgn.ivepointedya.com
http://www.urlvoid.com/scan/network.emloud.com
http://www.urlvoid.com/scan/consolewaspogad.com
http://www.urlvoid.com/scan/icvaircl.cn
http://www.urlvoid.com/scan/xylahavowi.com
http://www.urlvoid.com/scan/jennifermusic.nl
http://www.urlvoid.com/scan/fastsearchportal.org
http://www.urlvoid.com/scan/myavava.in
http://www.urlvoid.com/scan/clashjamwallop.in
http://www.urlvoid.com/scan/adordota.com
http://www.urlvoid.com/scan/einemenge.info
http://www.urlvoid.com/scan/JOSEMORAISTA.net
http://www.urlvoid.com/scan/mariadacoceicaopraxedes.net
http://www.ipvoid.com/scan/98.158.182.229
http://www.urlvoid.com/scan/s350098374.onlinehome.us
http://www.urlvoid.com/scan/rmhpzusmfhtpnt.biz
http://www.urlvoid.com/scan/axvkxnuutylqdtu.com
http://www.urlvoid.com/scan/outoszjfvqtyonk.net
http://www.urlvoid.com/scan/privatesystem-softshieldprotect.com
http://www.ipvoid.com/scan/212.150.164.204
http://www.urlvoid.com/scan/increasingly.kr
http://www.urlvoid.com/scan/windoslive.hotmail.ru
http://www.urlvoid.com/scan/searchbehind.org
http://www.urlvoid.com/scan/mygateforex.co.za
http://www.urlvoid.com/scan/richardwiggers.com
http://www.urlvoid.com/scan/obi-labs.com
http://www.urlvoid.com/scan/rvl.it
http://www.urlvoid.com/scan/irishpub.fo
http://www.urlvoid.com/scan/lets-exoticpets.co.za
http://www.urlvoid.com/scan/slcsc.co.uk
http://www.urlvoid.com/scan/voodoobarbcue.com
http://www.urlvoid.com/scan/robertjakobsen.com
http://www.urlvoid.com/scan/crosslinkhk.com
http://www.urlvoid.com/scan/skybluephoto.com
http://www.urlvoid.com/scan/3mates.com
http://www.urlvoid.com/scan/crabapplesound.com
http://www.urlvoid.com/scan/kidnet.co.il
http://www.urlvoid.com/scan/gulko.co.za
http://www.urlvoid.com/scan/shieldteens.co.za
http://www.urlvoid.com/scan/wcw.co.za
http://www.urlvoid.com/scan/pflco.com
http://www.urlvoid.com/scan/my-mobility.co.za
http://www.urlvoid.com/scan/emergencyshelter.us
http://www.urlvoid.com/scan/aandedoorns.co.za
http://www.ipvoid.com/scan/114.200.199.251
http://www.urlvoid.com/scan/pc-guarrantor-utility.com
http://www.urlvoid.com/scan/limpidoscomercio.com.br
http://www.urlvoid.com/scan/petchaburi.kr
http://www.ipvoid.com/scan/64.31.58.237
http://www.urlvoid.com/scan/hyap98.com
http://www.urlvoid.com/scan/ck3.nucleardiscover.com
http://www.urlvoid.com/scan/131207db062d.dynazzy.net
http://www.urlvoid.com/scan/tekefihamib.com
Suspicious email spreading malware:
Return-Path: <info52943@ups.com>
Received: from [39.203.6.87] (account 1361@ms21.hinet.net HELO ybydypsmsb.cehflcrileuz.ru)
From: "United Parcel Service" <info52943@ups.com>
Subject: United Parcel Service notification #46034
Message:
May 2011United Parcel Servicetracking number #18203 Good morningParcel
notificationThe parcel was sent your home adress.And it will arrive within 3
buisness days. More information and the parcel tracking number are attached in
document below.Thank you United Parcel Service of America (c)153 James Street,
Suite100, Long Beach CA, 90000
Attached there is a file with ZIP extension:
Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-zip
File size: 9032 bytes
MD5 hash: 4e8bbc81f8a1ed3fcde3899546fef0c9
SHA1 hash: 56e4f46e75cbccf27dde19289250471ebb90c5ba
Detection rate: 4 on 5 (80% )
Status: INFECTED
AVG 14/06/2011 10.0.0.1190 FakeAlert
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
ClamAV 14/06/2011 0.97 Suspect.Bredozip-zippwd-10
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
The extracted file is an executable file:
Report date: 2011-06-14 11:44:18 (GMT 1)
File name: ups-document-exe
File size: 24576 bytes
MD5 hash: fed91182ed9d29e36bbabac211ac7d3a
SHA1 hash: 17f308da31c8d61dd0b33691bf474e6f6fb5afbe
Detection rate: 2 on 5 (40% )
Status: INFECTED
Avira AntiVir 14/06/2011 7.11.7.12 TR/Crypt.XPACK.Gen
Emsisoft 14/06/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
Report created by NoVirusThanks Automated Sandbox:
Process Created - %SAMPLE% - C:\WINDOWS\system32\svchost.exe - Microsoft Corporation - 73955B04F209D8A1C633867841267A96 - 14336 bytes
File Deleted - C:\WINDOWS\system32\svchost.exe - %SAMPLE% - 24576 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /pusk3.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\OJZMJR51\pusk3[1].exe - 9A4DB26B24C1FA9F59D7005B18BF1B6E - 17408 bytes - attr: [] - -
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\pusk3.exe - Microsoft Corporation - AFFF69E592B133B34B0FD2AB6AC67691 - 429056 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol.exe
Connection Established - %AppData%\IMPOST~1\Temp\pusk3.exe - TCP - 194.50.7.14 - 80
Web Request - %AppData%\IMPOST~1\Temp\pusk3.exe - GET - searcham.org - /404.php?type=stats&affid=531&subid=03&iruns
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\trol[1].exe - 2984C3FF08E69000E841BF48436C55C9 - 66560 bytes - attr: [] - -
File Created - %AppData%\IMPOST~1\Temp\pusk3.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\WRLEMEZ4\404[1].htm - NOTHING TO HASH - 0 bytes - attr: [] - -
Process Created - 14/06/2011 11.46.01 - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol.exe - Unknown Publisher - F6C7505CC989D824EE2B6961F5EE1C2C - 79360 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 85.202.146.77 - 80
Web Request - C:\WINDOWS\system32\svchost.exe - GET - miliardov.com - /trol2.exe
File Modified - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe
File Created - C:\WINDOWS\system32\svchost.exe - %UserProfile%\Impostazioni locali\Temporary Internet Files\Content.IE5\DX0O3V3I\trol2[1].exe - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Process Created - C:\WINDOWS\system32\svchost.exe - %AppData%\IMPOST~1\Temp\trol2.exe - Unknown Publisher - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes
Connection Established - C:\WINDOWS\system32\svchost.exe - TCP - 95.64.36.67 - 80
File Created - %AppData%\IMPOST~1\Temp\trol2.exe - %Temp%\2.tmp - B088C688BFC85ACB12998CCB206C1705 - 84480 bytes - attr: [] - PE
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.33 - 80
Connection Established - %AppData%\IMPOST~1\Temp\trol2.exe - TCP - 94.60.123.34 - 80
URLVoid domain analysis:
http://www.urlvoid.com/scan/miliardov.com
http://www.urlvoid.com/scan/searcham.org
IPVoid ipaddress analysis:
http://www.ipvoid.com/scan/85.202.146.77
http://www.ipvoid.com/scan/194.50.7.14
http://www.ipvoid.com/scan/95.64.36.67
http://www.ipvoid.com/scan/94.60.123.33
http://www.ipvoid.com/scan/94.60.123.34
New phishing email related to PayPal accounts:
Return-Path: <servviice@paybal.com>
Received: from WIN-ATAF5I4OOP1 (unknown [96.44.188.43])
Received: from User ([127.0.0.1]) by WIN-ATAF5I4OOP1
From: "Paypal"<servviice@paybal.com>
Subject: Your Paypal Account Will Be Limited
Date: Tue, 17 May 2011 18:38:40 -0700
To: undisclosed-recipients:;
Message:
Note that the email come from:
From: "Paypal"<servviice@paybal.com>
The domain paybal.com is parked!
Malicious URL that redirects to the phishing PayPal login page:
hxxp://www.doncastersc.vic.edu .au/calendar/paypal.secure.update.service/paypal.secure.login/safe.login.process/language&id=en/80a13c0db1f1ff80d546411d7f8a8350c132bc41e0934c/us/webscr.php?cmd=_login-run&dispatch=3885d80a13c0db1f1ff80d546411d7f8a8350c132bc0
URLVoid domain analysis:
http://www.urlvoid.com/scan/paybal.com
http://www.urlvoid.com/scan/doncastersc.vic.edu.au
Suspicious email spreading malware:
Received: from 18714128077.user.veloxzone.com.br (unknown [187.14.128.77])
Received: from [132.75.231.74] (helo=qnmekzdssguat.bacphgvlbnez.ua)
From: "Puremobile Inc." <h5923a@ms2.hinet.net>
Subject: Your Order No 218538 - Puremobile Inc.
Message:
Thank you for ordering from Puremobile Inc.
This message is to inform you that your order has been received and is currently
being processed.
Your order reference is 372662.
You will need this in all correspondence.
This receipt is NOT proof of purchase.
We will send a printed invoice by mail to your billing address.
You have chosen to pay by credit card.
Your card will be charged for the amount of 045.00 USD and "Puremobile Inc." will
appear next to the charge on your statement.
Your purchase information appears below in the file.
Attached there is a file with ZIP extension:
Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-zip
File size: 7627 bytes
MD5 hash: d85180f7a74e04c9b9ef6f9bd437194d
SHA1 hash: 79763a8766773bc08f7dd309db2488f46d3f5438
Detection rate: 3 on 6 (50% )
Status: INFECTED
AVG 01/05/2011 10.0.0.1190 FakeAlert
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
The extracted file is an executable file:
Report date: 2011-05-01 23:21:48 (GMT 1)
File name: payment-document-exe
File size: 18432 bytes
MD5 hash: 694a38aa76e06cebe4048260b8f0e4fa
SHA1 hash: 0e698c044e77e11e2c494ad0b2dc002f6d73dabe
Detection rate: 2 on 6 (50% )
Status: INFECTED
Avira AntiVir 01/05/2011 7.11.7.12 TR/Dldr.FraudLoad.zemh
Emsisoft 01/05/2011 5.1.0.2 Trojan-Downloader.Win32.Chepvil!IK
The malware creates following files:
%AppData%\kdv.exe (BE39D725BDA9A76EAB2E0F1B3FAD8FA3)
Registry entries added:
HKCU\Software\Classes\.exe\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
HKCU\Software\Classes\exefile\shell\open\command:
(Default) = ""%AppData%\kdv.exe" -a "%1" %*"
Network traffic:
GET /0014000126 HTTP/1.1
Host: hahecekis. com
GET /pusk.exe HTTP/1.1
Host: variantov. com
GET /f/g.php HTTP/1.1
Host: kkojjors. net
URLVoid domain analysis:
http://www.urlvoid.com/scan/hahecekis.net
http://www.urlvoid.com/scan/variantov.com
http://www.urlvoid.com/scan/kkojjors.net
Post navigation