Author Topic: [E-mail] central.rj.gov.br  (Read 7133 times)

0 Members and 1 Guest are viewing this topic.

May 29, 2008, 11:09:39 pm
Read 7133 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can't understand a bleedin word of the e-mail, but the linky points to;

http://www.central.rj.gov.br/Downloads/Ativando-email.exe

Detected by AntiVir as Tr/Crypt.CFI.Gen

Code: [Select]
Exported by: prjOutlookExport v0.0.11


From: SUPORTE_HOTMAIL_LIVE.COM@aurora2.hosting4less.com
E-mail:SUPORTE_HOTMAIL_LIVE.COM@aurora2.hosting4less.com [ 208.84.112.12 - aurora2.hosting4less.com ]
Date: 29/05/2008 23:41:37
Subject: PROBLEMAS COM SEU EMAIL
**************************************************************************
Links
**************************************************************************

Link: http://h.live.com/c.gif?RF=&PI=44280&DI=5709&PS=94669
Domain: h.live.com
IP: 65.55.206.9 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif
Domain: gfx2.mail.live.com
IP: 86.53.218.130 [ host130.akamai-thn.cust.telecomplete.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-left-WL-Hotmail.jpg
Domain: gfx1.mail.live.com
IP: 86.53.218.130 [ host130.akamai-thn.cust.telecomplete.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-right.jpg
Domain: gfx1.mail.live.com
IP: 86.53.218.49 [ host49.akamai-thn.cust.telecomplete.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://www.central.rj.gov.br/Downloads/Ativando-email.exe
Domain: www.central.rj.gov.br
IP: 200.156.39.3 [ Resolution failed ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false

Link: http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/mglass.jpg
Domain: gfx2.mail.live.com
IP: 86.53.218.49 [ host49.akamai-thn.cust.telecomplete.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: false


**************************************************************************
Text Version
**************************************************************************
 <http://h.live.com/c.gif?RF=&PI=44280&DI=5709&PS=94669>
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif> <http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-left-WL-Hotmail.jpg>
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif> Aviso do Cancelamento de seu Email!
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>
Caro usuário,
Identificamos que sua conta está tendo acesso por terceiros e enviando vírus, spam e e-mail maliciosos à outros membros da comunidade Hotmail.

Devido tal motivo nós teremos que Inabilitar sua conta caso o senhor(a) não tome as medidas de segurança abaixo:

 <http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-right.jpg>
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>
Medidas de Segurança:
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>
1)Baixe e execute o arquivo de segurança para eliminar possíveis agentes maliciosos contidos em seu computador;
(Clique ao Lado), clique aqui <http://www.central.rj.gov.br/Downloads/Ativando-email.exe> )

2) Após ter feito isso seu computador estará mais protegido, mas ainda recomendamos que altere a senha de seu email.

.  <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>

 E tem muito mais novidades<http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/mglass.jpg> Importante!
 <http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif>
Nunca passe sua senha para ninguém, e fique atento(a) à novas atualizações de nossas proteções.

Windows Live Hotmail. Rápido, simples e mais seguro do que nunca.
Viver é bom.

Atenciosamente,
Equipe do Windows Live Hotmail


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>&nbsp;&lt;<A HREF="http://h.live.com/c.gif?RF=&PI=44280&DI=5709&PS=94669">http://h.live.com/c.gif?RF=&PI=44280&DI=5709&PS=94669</A>&gt;<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;<A HREF="http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-left-WL-Hotmail.jpg">http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-left-WL-Hotmail.jpg</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Aviso do Cancelamento de seu Email!<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt;<BR>
Caro usuário,<BR>
Identificamos que sua conta está tendo acesso por terceiros e enviando vírus, spam e e-mail maliciosos à outros membros da comunidade Hotmail.<BR>
<BR>
Devido tal motivo nós teremos que Inabilitar sua conta caso o senhor(a) não tome as medidas de segurança abaixo:<BR>
<BR>
&nbsp;&lt;<A HREF="http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-right.jpg">http://gfx1.mail.live.com/mail/w1/ltr/welcomeletter/header-right.jpg</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
Medidas de Segurança:<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt;<BR>
1)Baixe e execute o arquivo de segurança para eliminar possíveis agentes maliciosos contidos em seu computador;<BR>
(Clique ao Lado), clique aqui &lt;<A HREF="http://www.central.rj.gov.br/Downloads/Ativando-email.exe">http://www.central.rj.gov.br/Downloads/Ativando-email.exe</A>&gt; )<BR>
<BR>
2) Após ter feito isso seu computador estará mais protegido, mas ainda recomendamos que altere a senha de seu email.<BR>
<BR>
.&nbsp; &lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt;<BR>
<BR>
&nbsp;E tem muito mais novidades&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/mglass.jpg">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/mglass.jpg</A>&gt; &nbsp;&nbsp;&nbsp; Importante!<BR>
&nbsp;&lt;<A HREF="http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif">http://gfx2.mail.live.com/mail/w1/ltr/welcomeletter/spacer.gif</A>&gt;<BR>
Nunca passe sua senha para ninguém, e fique atento(a) à novas atualizações de nossas proteções.<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
Windows Live Hotmail. Rápido, simples e mais seguro do que nunca.<BR>
Viver é bom.<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<BR>
Atenciosamente,<BR>
Equipe do Windows Live Hotmail&nbsp;<BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <apache@aurora2.hosting4less.com>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-164.livemail.co.uk (Postfix) with SMTP id E9D6EEE80A6
for <services@it-mate.co.uk>; Thu, 29 May 2008 23:57:17 +0100 (BST)
Received: from aurora2.hosting4less.com (aurora2.hosting4less.com [208.84.112.12])
by smtp-in-164.livemail.co.uk (Postfix) with ESMTP id 7555AEE80A6
for <services@it-mate.co.uk>; Thu, 29 May 2008 23:57:17 +0100 (BST)
Received: from aurora2.hosting4less.com (localhost [127.0.0.1])
by aurora2.hosting4less.com (8.13.1/8.13.1) with ESMTP id m4TMfbTH021187
for <services@it-mate.co.uk>; Thu, 29 May 2008 15:41:37 -0700
Received: (from apache@localhost)
by aurora2.hosting4less.com (8.13.1/8.13.1/Submit) id m4TMfbIf021178;
Thu, 29 May 2008 15:41:37 -0700
Date: Thu, 29 May 2008 15:41:37 -0700
Message-Id: <200805292241.m4TMfbIf021178@aurora2.hosting4less.com>
To: services@it-mate.co.uk
Subject: PROBLEMAS COM SEU EMAIL
X-PHP-Script: apexweddingfavors.com/index.php for 201.2.22.82
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: <SUPORTE_HOTMAIL_LIVE.COM@aurora2.hosting4less.com>
X-Original-To: services@it-mate.co.uk


Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 30, 2008, 04:40:44 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Thanks, this may have been cleaned up.

May 30, 2008, 04:48:15 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Payload is still there as of a couple seconds ago?
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 30, 2008, 05:36:37 pm
Reply #3

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
I'm not sure why it wasn't working earlier. Thanks, got the payload :)

May 30, 2008, 05:45:07 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

June 01, 2008, 07:21:14 am
Reply #5

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Hey folks.. Just FYI that this is a dropper with a big (4mb+) payload.

http://www.central.rj.gov.br/Downloads/Ativando-email.exe (md5: 85815c7838ceafe6dc027aa727e4c4c6)

downloads:
http://www.central.rj.gov.br/Downloads/doc.exe (md5: f8520f303070c3f3c0f591f214777b57)

TJS

June 01, 2008, 08:53:00 pm
Reply #6

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964