Spam offering Russian Girls A Plenty!

20 01 2011

Our readers are reporting that the Cyber Criminals are sending Spam with malicious links. The criminals are trying to entice users with

Russian Girls and Sex.

“Beware these sites are crawling with Malware!”

—————-——-<Spam Sample>—————–
From: Fance@Franceroo.ru

<Malware Spam>
To: All MS

Hi dear! I am for a decent man.

As for me, I am a young Russian girl
Do you like Russian women?

They are not just beautiful and smart, but very tolerant too.
Russian women value family and try to be with their husbands as much as possible.

It’s time to get to know each other!
See you on marriage agency. Cheerio!

Please, visit this site!

<Malware Link>
URL=http://1.beersexchix.ru/

—————–<>>———————–

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\jquery.pack[1].js
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\girls_photos[1].jpg
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\style[1].css
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\footer_girls[1].jpg
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\ie_style[1].css
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\x1[1].png
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\1.beersexchix[1].htm

<DNS TRaffic>

  • 1.beersexchix.ru
    IP: 178.208.81.55
    imgs.blyadgirl.ru
    IP: 72.9.107.43
    img.sexforfun.ru
    IP: 72.9.107.43

Malware Site: hxxp://datingwithlove.ru

  • IP:194.85.105.17
    IP:91.216.141.173
    IP:178.208.76.153

Hostmaster.rumacsun.ru point to 72.9.107.43.

Blacklisted – URIBL.com

Malware Found:

* Trojan+FakeVimes
* Trojan.JS
* FakeUpdates
* Fake Antivirus /”free-spy-software.net”
* Trojan-Downloader.Win32.Genome
* TDSS/Rootkit
* Trojan Zeus/ZBOT

Malware DNS Queries:

  • datingwithlove.ru
    IP: 178.208.76.153
    imgs.blyadgirl.ru
    IP: 72.9.107.43
    img.blyadgirl.ru
    IP: 178.208.76.153

More Malware Sites:

* *.cross-the-best.com
* *.gogetsuperr.com
* *.privenowtoo.com
* americangirls.ru
* afur.ru
* dateyourdream.ru
* datingextazy.ru
* datingsasha.ru
* f*-ckmyrussianwife.ru
* lovedatig.ru
* ns1.privenowtoo.com
* ns2.privenowtoo.com
* ns3.gogetsuperr.com
* ns4.gogetsuperr.com
* ns4.iknarr.ru
* ns4.nsxine.ru
* ns4.tiniee.ru
* sexbeerdating.ru
* http://www.cross-the-best.com
* pevo.ru
* sexyputana.ru
* pornorate.ru
* wantedunitedsex.ru

Good Luck!


Comments : Leave a Comment »
Tags: ,
Categories : Trojans, Virus, Web Threats

Casino Spam is a Phish

19 01 2011

Our readers sent us a copy of the new Casino Spam that points to Russia.

The Spam includes Phishing and Malware Sites.

<Sample>

From: “555” <vidagbjbnkvpp@andrewsmemorial-umc.org>
To: Joe6@123x.com

Your 555USD bonus has just arrived, Claim it in here –
hxxp://stars-play-777.ru
———————————<>—————

Malware Site:

  • hxxp://stars-play-777.ru
  • Points to: 175.121.56.57

Malware Files Created:

  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\royalpalaceca_03[1].jpg
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\royalpalaceca_06[1].jpg

Nameservers are via: castime.ru
ns1.castime.ru
ns2.castime.ru
ns3.castime.ru
ns4.castime.ru

IP 175.121.56.57 – Address Points to Multiple Domain Names:

  • castime.ru
  • *.extra-game-888.ru
  • *.extragameslots.ru
  • *.game-extra-lux.ru
  • *.hot-game-888.ru
  • 888-game-extra.ru
  • eduinomed.in
  • extra-game-888.ru
  • extra-game-royal.ru
  • extra-game-top.ru
  • extragameslots.ru
  • finmed.in
  • game-extra-lux.ru
  • game888extra.ru
  • getrxpill.in
  • gorxshop.in
  • hankmed.in
  • hansonline.in
  • hot-game-888.ru
  • hotgoldgame.ru
  • jeddtab.ru
  • maconline.in
  • mortenmed.in
  • newtonmed.in
  • nollymed.in
  • pharmhank.in
  • robbymed.in
  • salmed.in
  • saymed.in
  • tabluke.in
  • tabwald.in
  • viced.in
  • vip-play-stars.ru
  • vip-stars-play.ru
  • http://www.extra-game-888.ru
  • http://www.extragameslots.ru
  • http://www.game-extra-lux.ru
  • http://www.hot-game-888.ru

Reference:  R obtex.com and MyWot


Comments : Leave a Comment »
Tags:
Categories : Phishing, Trojans, Web Threats

Funky Fire Site Spewing Trojan Attacks

17 01 2011

One of our readers informs that a site called Fireboys.com is spewing some banking Trojan attacks.

The malware site fireboys.com has one IP number (66.96.130.133) , but the reverse is 133.130.96.66.static.eigbox.net, Berner.org and fabcor.com point to the same IP and also shares name servers. Bizfit.net, atmainteractive.com, vitalwellnessinc.com, mybimmer.com, reincarnationforte.net and at least 200 other hosts point to the same IP.

Malware Site:
hxxp://fireboys.com
IP: 66.96.130.133

Malware Found:

  • Trojans Zeus/Zbot
  • Backdoor attacks.
  • Command and Control

Suspicious Files:

  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer
  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
  • C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009070220090703\index.dat
  • c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\disclaimer-reg_09[1].gif
  • c:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\fireboys[1].htm

Host names sharing IP with A records (219) –  go to Robtex to see the entire list.

  • aboutlimo.com
  • abstractbay.com
  • adventuresofary.net
  • allchoiceins.com
  • americanhominsp.com
  • andeverythingnice.net
  • arenalrealestatedevelopment.com
  • bioaspect.com
  • bizfit.net
  • bluegrasspainmanagement.com
  • bulldoghockey.net
  • buyahomeinbocaraton.com
  • commentsusa.com
  • crosspaint.com
  • davidfhardy.com
  • designfordesign.net
  • disenoyfotos.com
  • dlnews.net
  • editorialnote.net
  • filmasylum.net
  • fireboys.com
  • firewok.com
  • floridasleepinns.com
  • frankwykoff1.com
  • frederickprecast.com
  • mtinstruments.com
  • nrgpublications.com
  • oceaner.net
  • oceangrovecondos.com
  • offdutycharters.net
  • officeanesthesiology.com
  • officialsos.net
  • robertmoylan.com
  • rollyrichert.com
  • rslfinancial.com
  • seankirklin.com
  • secretpokerclub.net
  • tangfamily.net
  • taxkool.com
  • unlimitedsightandsound.com
  • webpagesbybob.com
  • winkinglizardproductions.com
  • wiraonline.com
  • wonalancet.net
  • http://www.swat-clan.net
  • yahooindian.com
  • zebella.com

Comments : Leave a Comment »
Tags:
Categories : Backdoors, Botnet, Trojans, Web Threats

DHL and UPS Spam Includes Trojan SPYEYE

13 01 2011

We are getting reports of some our readers getting spam that includes the Trojan SPYEYE and Bot attack. The payload will attempt to connect to malicious sites to download  updated Trojan and backdoor files.

The Spam includes zip files that may include subjects for DHL and UPS Deliveries.

Also, Our friends at McAfee are detecting the malware as Generic.bfr!a!BC834E044192.

Good Luck!

<Payload>

  • DHL-01122011-TRACKING.exe
  • UNITED_PARCEL_SERVICE-TRK-CP01132011.zip

The Following files have been added to the system:

•%TEMP%\512011.dmp
•%APPDATA%\Xibox\ikgyq.uho
•%APPDATA%\Xibox\ikgyq.tmp
•%TEMP%\510034.dmp
•%TEMP%\tmpebbcaf51.bat
•%APPDATA%\Afufd\xaymk.exe

The applications attempted the following malware connection(s):

  • 91.200.188.191
  • blogspotstone.com
  • •hxxp://www.blogspotstone.com/*****
  • fingertoblog.com

Comments : Leave a Comment »
Tags: , ,
Categories : Botnet, Spam, Trojans, Virus Info, Web Threats

zBOT points to Russia

11 01 2011

One of our poor reader’s  Windows  7.0 machine is dialing back to a site in the Russian Federation!

The process logs show IP 194.63.144.81. We have flagged  the site as  a Trojan Zbot/ZeuS Attack.

The poor reader ran his favorite AV program but it is not detecting anything.

Here is the Solution: Kill the Machine and Re-image!

Malware Site: 194.63.144.81

———————-< Snip>——————

Trace IP  194.63.144.81
15   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.242]
16   190 ms   190 ms   190 ms  tele-1-gw.sth.runnet.ru [194.85.40.174]
17   190 ms   190 ms   190 ms  b57-1-gw.spb.runnet.ru [194.85.40.129]
18   190 ms   190 ms   190 ms  m9-1-gw.msk.runnet.ru [194.85.40.133]
19   190 ms   190 ms   190 ms  m9-2-gw.msk.runnet.ru [194.85.40.214]
20   213 ms   211 ms   212 ms  vline.msk.runnet.ru [194.190.254.218]
21   211 ms   212 ms   218 ms  109.196.132.14
22   271 ms   279 ms   265 ms  194.63.144.81

Host Info:

  • inetnum:    194.63.144.0 – 194.63.147.255
  • netname:    PROMIRANET
  • descr:    LLC Promiranetru
  • country:    RU (Russian Federation)

This IP is Blacklisted

Google shows us the Malware Host “tele-1-gw.sth.runnet.ru” with a few suspicious sites!
1. http://www.Pereplet.ru

2. hxxtp://orwell.ru/a_life/lords100/russian/r_lbk 3. http://eyecenter.com.ua/doctor/virus/59.htm …. 9 tele-1-gw.sth.runnet.ru (194.85.40.174), 162.326 ms …
3. http://www.Macvspc.ru
читать дальше hxxp://www.macvspc.ru/macintosh-virus-free.html P.S.
bizinformatsiya.ru/www.macvspc.ru – Cached
3. http://www.Softogen.ru
… “Kaspersky Virus Removal Tool 900722 10122010 Portable Rus”, …
bizinformatsiya.ru/www.softogen.ru – Cached
Show more results from bizinformatsiya.ru
4. http://www.Gfxstuff.ws
-815349,gfxstuff.ws 815350,rmoms.net 815351,stop-virus-070.com 815352,granfondo.com.au 815353 …

Good Luck!


Comments : Leave a Comment »
Tags: , ,
Categories : Black List, Botnet, Trojans, Web Threats

« Previous Entries