Author Topic: Alert: Yet more malicious Microsoft e-mails  (Read 2658 times)

0 Members and 1 Guest are viewing this topic.

August 06, 2009, 09:09:48 am
Read 2658 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Following on from the previous Microsoft e-mail botnet;

http://hphosts.blogspot.com/2009/08/yab-yet-another-botnet-microsoft.html

.. I'm now receiving several e-mails pointing to worm infections hosted on RapidShare, going through king.cd

http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 19, 2009, 11:10:44 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Quote
91.207.116.22 is located on a Rushkranian block, apparently owned by Rise-v Ltd, which was also the source of the exploit at kervinly.com.

Today we've seen more of these fake Microsoft e-mails. I have checked the file at the given url
hxxp://update.microsoft.com.vciii.net/microsoftofficeupdate/isapdl/de.aspx/officexp-KB910721-FullFile-ENU.exe

It downloads a Zbot trojan from domain shipal.eu at the known ip 91.207.116.22.
http://www.virustotal.com/analisis/20bdac97d430bcb74805f94faefdf5e6424b38f00bd61e97372c0fc17c5c6a8b-1250721169 17/41

Therefore I have checked what else can be found at this host.

Here is the list:

http://www.malwaredomainlist.com/mdl.php?search=91.207.116.22&colsearch=All&quantity=50
Ruining the bad guy's day

August 19, 2009, 11:14:59 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net