Dear AOL Instant Messenger (AIM) user,
Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.
If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.
In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.
Thank you,
AIM Service Team
This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.
The email subjects today are primarily three:
AOL Instant Messenger critical update
Your AOL Instant Messenger account is flagged as inactive
Your AOL Instant Messenger account will be deleted
The download link points to a file called:
aimupdate_7.1.6.475
File size: 130048 bytes
MD5 : 506b74fab91958e0a9714c4ef5a9f24d
SHA1 : bdb3ecffb2245a6a3f4bda3880aa562a13bff421
VirusTotal of course informs us that this is a Zeus / Zbot infector:
(See VirusTotal Report)
Before you even download the "executable", there is drive-by malware that hits the visitor.
== 109.95.114.251/usr5432/in.php is called as a result of an iframe on the page.
This leads to the download and loading of:
== 109.95.114.251/usr5432/xd/pdf.pdf
and then
== /usr5432/xd/sNode.php
and /usr5432/xd/swfobject.js
and then nekovo.ru/kissme/rec.php
which downloads nekovo.ru/abs.exe
abs.exe is only detectable by 5 of 41 anti-virus products according to VirusTotal, most of them detecting them as "Hiloti":
VirusTotal Report on Hiloti - abs.exe
Websites that have been used in this campaign, all using the path "products/aimController.php", include:
machine
--------------------------------
update.aol.com.favucca.co.im
update.aol.com.favuccaco.im
update.aol.com.favucca.com.im
update.aol.com.favuccacom.im
update.aol.com.favuccaim
update.aol.com.favucca.im
update.aol.com.favucca.net.im
update.aol.com.favuccanet.im
update.aol.com.favucca.org.im
update.aol.com.favuccaorg.im
update.aol.com.hasdxzzw.co.im
update.aol.com.hasdxzzw.com.im
update.aol.com.hasdxzzw.im
update.aol.com.hasdxzzw.net.im
update.aol.com.hasdxzzw.org.im
update.aol.com.oifeazx.com.pl
update.aol.com.oifeazxcom.pl
update.aol.com.oijeaxx.com.pl
update.aol.com.oijeaxxcom.pl
update.aol.com.oijeazx.com.pl
update.aol.com.oijeazxcom.pl
update.aol.com.oijhaxx.com.pl
update.aol.com.oijhaxxcom.pl
update.aol.com.oijhayx.com.pl
update.aol.com.oijhayxcom.pl
update.aol.com.oijqayx.com.pl
update.aol.com.oijqayxcom.pl
update.aol.com.oiybaqr.com.pl
update.aol.com.oiybaqrcom.pl
update.aol.com.oiybkqr.com.pl
update.aol.com.oiybkqrcom.pl
update.aol.com.oiyqaqr.com.pl
update.aol.com.oiyqaqrcom.pl
update.aol.com.oiyqayr.com.pl
update.aol.com.oiyqayrcom.pl
update.aol.com.oiyqayx.com.pl
update.aol.com.oiyqayxcom.pl
update.aol.com.onybkqr.com.pl
update.aol.com.onybkqrcom.pl
update.aol.com.onybksm.com.pl
update.aol.com.onybksmcom.pl
update.aol.com.onybksr.com.pl
update.aol.com.onybksrcom.pl
update.aol.com.onybmsm.com.pl
update.aol.com.onybmsmcom.pl
update.aol.com.pikie.com.pl
update.aol.com.pikoe.com.pl
update.aol.com.pikqe.com.pl
update.aol.com.pikye.com.pl
update.aol.com.pioqe.com.pl
update.aol.com.pioqo.com.pl
update.aol.com.saxxxzabe
update.aol.com.saxxxzfbe
update.aol.com.saxxxznbe
update.aol.com.saxxxzn.be
update.aol.com.terfkioa.com.pl
update.aol.com.terfkioa.net.pl
update.aol.com.terfkioc.com.pl
update.aol.com.terfkioc.net.pl
update.aol.com.terfkiod.com.pl
update.aol.com.terfkiod.net.pl
update.aol.com.terfkiof.com.pl
update.aol.com.terfkiof.net.pl
update.aol.com.terfkioq.com.pl
update.aol.com.terfkioq.net.pl
update.aol.com.terfkior.com.pl
update.aol.com.terfkios.com.pl
update.aol.com.terfkios.net.pl
update.aol.com.terfkiox.com.pl
update.aol.com.terfkiox.net.pl
update.aol.com.yhff10.com.pl
update.aol.com.yhff11.com.pl
update.aol.com.yhffd0.com.pl
update.aol.com.yhffd1.com.pl
update.aol.com.yhffd2.com.pl
update.aol.com.yhffd3.com.pl
update.aol.com.yhffd4.com.pl
update.aol.com.yhffd5.com.pl
update.aol.com.yhffd6.com.pl
update.aol.com.yhffd7.com.pl
update.aol.com.yhffd8.com.pl
update.aol.com.yhffd9.com.pl
update.aol.com.yhnki6u.com.pl
update.aol.com.yhnki6ucom.pl
update.aol.com.yhnkz6u.com.pl
update.aol.com.yhnkz6ucom.pl
update.aol.com.yhuki6u.com.pl
update.aol.com.yhuki6ucom.pl
update.aol.com.yhuoi6u.com.pl
update.aol.com.yhuoi6ucom.pl
update.aol.com.yhuoo6u.com.pl
update.aol.com.yhuoo6ucom.pl
update.aol.com.yhuou6u.com.pl
update.aol.com.yhuou6ucom.pl
update.aol.com.yhusssqb.com.pl
update.aol.com.yhusssqc.com.pl
update.aol.com.yhusssqd.com.pl
update.aol.com.yhusssqf.com.pl
update.aol.com.yhusssqg.com.pl
update.aol.com.yhusssqh.com.pl
update.aol.com.yhusssqj.com.pl
update.aol.com.yhusssqn.com.pl
update.aol.com.yhusssqq.com.pl
update.aol.com.yhusssqs.com.pl
update.aol.com.yhusssqu.com.pl
update.aol.com.yhusssqv.com.pl
update.aol.com.yhusssqw.com.pl
update.aol.com.yhusssqy.com.pl
update.aol.com.yhuui6u.com.pl
update.aol.com.yhuui6ucom.pl
update.aol.com.yhuyu6u.com.pl
update.aol.com.yhuyu6ucom.pl
update.aol.com.yhuyu6y.com.pl
update.aol.com.yhuyu6ycom.pl
update.aol.com.yhyki6u.com.pl
update.aol.com.yhyki6ucom.pl
(116 rows)
0 comments:
Post a Comment