Author Topic: ecard.exe & postcard.exe > 133.50.98.154  (Read 4358 times)

0 Members and 1 Guest are viewing this topic.

March 14, 2008, 04:48:29 am
Read 4358 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Haven't checked it out yet (backup machine just had it's mobo die, so been concentrating on that), but this just came through via e-mail;

Code: [Select]
Exported by: prjOutlookExport v0.0.8


From: price@yahoo.com
E-mail:price@yahoo.com [ 66.94.234.13 - w2.rc.vip.scd.yahoo.com ]
Date: You have one new ecard waiting!
Subject: sgb@it-mate.co.uk
**************************************************************************
Links
**************************************************************************

Link: http://133.50.98.154/
Domain: 133.50.98.154
IP: 133.50.98.154 [ diky01.pharm.hokudai.ac.jp ]
hpHosts Status: Skipped by user
MDL Status: Skipped by user


**************************************************************************
Text Version
**************************************************************************
This Funny Ecard has been sent to you http://133.50.98.154/


**************************************************************************
HTML Version
**************************************************************************
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7036.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=2>This Funny Ecard has been sent to you <A HREF="http://133.50.98.154/">http://133.50.98.154/</A><BR>
</FONT>
</P>

</BODY>
</HTML>

**************************************************************************
Headers
**************************************************************************
Return-Path: <price@yahoo.com>
Delivered-To: services@it-mate.co.uk
Received: from Postfix filter 42a77884ce2a0a03efc6bb50a6dcdb21 (localhost.localdomain [127.0.0.1])
by smtp-in-134.livemail.co.uk (Postfix) with SMTP id 0E4983CD2B8
for <services@it-mate.co.uk>; Fri, 14 Mar 2008 04:45:02 +0000 (GMT)
Received: from 141-115-201-123.static.youtele.com (unknown [123.201.115.141])
by smtp-in-134.livemail.co.uk (Postfix) with SMTP id ED1293CD2B8
for <sgb@it-mate.co.uk>; Fri, 14 Mar 2008 04:45:00 +0000 (GMT)
Received: from [106.42.193.109] (helo=cyr)
by 141-115-201-123.static.youtele.com with smtp (Exim 4.62 (FreeBSD))
id 1Kf%g-0001gB-LY; Fri, 14 Mar 2008 10:15:48 +0530
Message-ID: <003101c8858e$23ed3ea0$6dc12a6a@cyr>
From: <price@yahoo.com>
To: <sgb@it-mate.co.uk>
Subject: You have one new ecard waiting!
Date: Fri, 14 Mar 2008 10:14:51 +0530
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1252";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Original-To: sgb@it-mate.co.uk



Code: [Select]
*****************************************************************
vURL Desktop Edition v0.2.8 Results
Source code for: http://133.50.98.154/
Server IP: 133.50.98.154 [ diky01.pharm.hokudai.ac.jp ]
hpHosts Status: Not Listed
MDL Status: Not Listed
Date: 14 March 2008
Time: 04:45:55:45
*****************************************************************
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Refresh" content="5; URL=ecard.exe">
<title>FunnyPostcard.Com</title>
<body>
<center>
<a href="postcard.exe"><img src="funny_postcards.gif" border="0"><br></a><br>
Your download will start in 5 seconds.<br>
If your download does not start, <br>
<a href="e-card.exe">click here</a> and then press "Run".
<br><br>
&copy2000-2008 FunnyPostCard.com - All rights reserved.
</center>
</body>
</html>
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

March 14, 2008, 01:58:49 pm
Reply #1

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Not up at the moment, but with the storm infected hosts, they are often up and down. So there is a good chance it will be back online soon.

March 14, 2008, 03:52:01 pm
Reply #2

cjeremy

  • Special Members
  • Full Member

  • Offline
  • *

  • 58
    • sudosecure
This is one of the ~71,000 ips I have in my list for Storm Worm Web servers...  I have seen it as recently as earlier this morining, in the fast flux dns records.  ;)

I don't have it in my binaries collection, though :(