Author Topic: PharmSpam Domains  (Read 2845 times)

0 Members and 1 Guest are viewing this topic.

August 25, 2009, 08:57:47 pm
Read 2845 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Once host is infected it starts sending out pharmspam, the host checks in here:
91.207.4.26/spm/s_alive.php?id=465685358604&tick=4280384&ver=102&smtp=ok

Gets email address list along with spam subject/body:
91.207.4.26/spm/s_tasks.php?id=465685358604&ver=102

...snip...
<text>
From:VIAGRA.INC<suport@mkanmz.viagra.com>
Subject:###  long sex! ###
MIME-Version: 1.0
Importance: High
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Drug Online Your discount
Looks like : Small blue diamond-shaped pills  http://canadian.zxohiyoy.cn
</text>
...snip...


Various domains used in spam body. All prepended with canadian (seems like more good ol pharmspam). All resolve to 222.186.13.57 (APNIC).

crobeziq.cn
htumiwex.cn
wdehiqeb.cn
xkigokon.cn
zxohiyoy.cn

The above IP's/domains aren't in the list yet so thought I would share.