The mail is delivered with three distinct subjects so far:
A copycat spammer is using headlines:
BBC NEWS.
Weekly BBC NEWS.
Your subscription.
to send spam messages claiming a headline that the President of
Georgia is gay.
The Headlines within the email message choose from:
Mikheil Saakashvili gay scandal! New of this week!
Saakashvili have a funny woman organ (pu..sy)! see it!
Funny Saakashvili gay video...See now!Sensation!
Sensation! president of Georgia... GAY! See now!
Last news! Saakashvili (president of Georgia) the gay!
President of Georgia - intim (GAY) video! see now!
The spams contain a linked image of the President from the BBC:
We've received 300+ copies so far . . .
Malware loads from these locations:
http://194.30.13.57/upload1/upload.php
http://aguadodecea.com/upload1/upload.php
http://elitezeitung.de/upload1/upload.php
http://farmaciacardelus.com/upload1/upload.php
http://freeweb.8k.ro/upload1/upload.php
http://hespistani.com/upload1/upload.php
http://magicweb.es/upload1/upload.php
http://marpersa.110mb.com/upload1/upload.php
http://miami-fitness.de/upload1/upload.php
http://outragerecords.com/upload1/upload.php
http://pendulumsandmore.com/upload1/upload.php
http://thecar.fr/upload1/upload.php
http://transporter.tv/upload1/upload.php
http://vishalkullarwar.com/upload1/upload.php
http://www.oris-uk.com/upload1/upload.php
http://xrevolution.de/upload1/upload.php
All of those locations actually cause the virus to be delivered from a single location, the IP address:
79.135.167.49
The name of the malware is "name.avi.exe", and at the moment, only FOUR out of 36 anti-virus products detect it.
Clearly the spam is from someone who doesn't have a solid command on the English language.
So far the emails have been received from more than 40 IP addresses. Spot-checking these IP addresses for previous spam activity finds nothing in the UAB Spam Data Mine, suggesting these machines are not part of a previously used spamming botnet.
58.186.135.166 - Vietnam
59.180.133.160 - India
64.25.16.52 - JetBlue Airways, Salt Lake City, Utah
65.109.64.212 - ADVA Technologies, Sandhurst, GB
65.17.231.160 - Cable Bahamas
65.75.75.34 - Alabanza, Inc - Baltimore, Maryland
66.232.98.237 - NOC4Hosts, Tampa, Florida
67.96.77.3 - US Cellular, Knoxsville, Tennessee
78.132.144.87 - JSC Center Telecom - Russian Federation
79.139.129.137 - Moscow Local Telephone - Russian Federation
80.255.244.19 - Web Media Services - Russian Federation
80.72.23.56 - Colocation facility - Netherlands
81.23.99.50 - Severen Telecom, Russian Federation
85.71.224.34 - Czech Republic
86.126.61.166 - Bucharest, Romania
88.246.83.148 - Turk Telekom, Ankara, Turkey
88.254.4.69 - Poland
89.107.158.235 - St. Petersburg Telephone, Russian Federation
89.110.58.84 - ??
94.28.200.128 - Verizon
96.234.41.61 - Verizon
96.235.33.22 - Verizon
123.193.82.34 - Taiwan
151.8.226.253 - Italy
158.104.100.27 - Wilamette University, Salem, Oregon
159.213.32.206 - Italy
189.20.97.3 - Germany
194.8.120.227 - Federal Agency of Education, Moscow, Russia
195.161.9.2 - Austin Community College, Austin, TX
198.213.3.242 - Colombia
200.11.45.83 - Mexico
200.52.83.57 - Chile
200.73.29.90 - Colombia
205.166.61.190 - Cumberland Technologies, Mechanicsburg, PA
206.162.192.100 - SEI Data, Dillsboro, Indiana
211.110.195.30 - Korea
212.163.164.16 - Germany
212.8.197.5 - Spain
212.85.33.141 - Spain
216.147.32.118 - Albanza
217.35.209.165 - BTNet
220.248.143.44 - China
0 comments:
Post a Comment