wiptrial.wz.cz

[philipp]

Hi,

from a spam mail

Code: [Select]

Return-Path: <Raquel-kalmbach@rhldesign.com>
X-Original-To: postmaster@xxx.de
Delivered-To: postmaster@xxx.de
Received: from 87.68.106.14.cable.012.net.il (unknown [87.68.106.14])
by family.xxx.de (Postfix) with ESMTP id 7412B9FA00EA
for <postmaster@xxx.de>; Tue, 15 Jul 2008 00:42:22 +0200 (CEST)
To: postmaster@xxx.de
Subject: Michael Jackson dies in bed
From: Giventer <Raquel-kalmbach@rhldesign.com>
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Date: Tue, 15 Jul 2008 01:42:17 +0300
Message-ID: <qi.dhhxgdpgbfwbia@sarid>
User-Agent: Opera Mail/9.50 (Win32)
X-DSPAM-Result: Spam
X-DSPAM-Processed: Tue Jul 15 00:42:23 2008
X-DSPAM-Confidence: 0.6941
X-DSPAM-Probability: 1.0000
X-DSPAM-Signature: 487bd64f139585120455541

Floods in Bahamas claims hundreds of lives
http://wiptrial.wz.cz/main.html

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

hxxp://wiptrial.wz.cz/main.html
loads in an iframe:
hxxp://wiptrial.wz.cz/00.html
which serves an MDAC exploit, with the payload:
hxxp://wiptrial.wz.cz/view.exe (md5sum: b14972728100f240ef92d463d7175eba)

[MysteryFCM]

Related to;

http://www.malwaredomainlist.com/forums/index.php?topic=1970.0

[philipp]

uh, sorry didnt notice that 
thanks

[MysteryFCM]

hehe no worries

[Kayrac]

the exe is gone already, probably changed it