Once host is infected it starts sending out pharmspam, the host checks in here:
91.207.4.26/spm/s_alive.php?id=465685358604&tick=4280384&ver=102&smtp=ok
Gets email address list along with spam subject/body:
91.207.4.26/spm/s_tasks.php?id=465685358604&ver=102
...snip...
<text>
From:VIAGRA.INC<suport@mkanmz.viagra.com>
Subject:### long sex! ###
MIME-Version: 1.0
Importance: High
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Drug Online Your discount
Looks like : Small blue diamond-shaped pills http://canadian.zxohiyoy.cn
</text>
...snip...
Various domains used in spam body. All prepended with canadian (seems like more good ol pharmspam). All resolve to 222.186.13.57 (APNIC).
crobeziq.cn
htumiwex.cn
wdehiqeb.cn
xkigokon.cn
zxohiyoy.cn
The above IP's/domains aren't in the list yet so thought I would share.
Topic: PharmSpam Domains (Read 3320 times)
