[email] [TROJAN] Angelina Jolie's Free Video.
spam...@nil.nil
Spam FROM: 84.104.115-78.rev.gaoland.net [78.115.104.84]
abuse-s...@cegetel.net,ab...@cegetel.net,ab...@sitadelle.com,
ab...@gaoland.net,postm...@cegetel.net,postm...@sitadelle.com,
postm...@gaoland.net,sup...@cegetel.net,sup...@sitadelle.com,
sup...@gaoland.net
This is the modern form of email advertising consisting
of a modification of an original mailer's content.
Be Green! Save Electrons! It is recycled mail with the
original content used to foil anti-spam filters.
At the least it is a copyright violation ((C)2008 Microsoft).
Spam CONTENT: Microsoft Featured Offer email promotion
ab...@microsoft.com,ad...@microsoft.com,
ab...@msadcenter.msn.com,postm...@msadcenter.msn.com,
ab...@msn.com,ad...@msn.com
The content has been modified to the:
Spam CONTENT [image]: http://195.190.13.98/1.gif
Spamvertized URL: http://195.190.13.98/video-nude-anjelina.avi.exe
on steephost.{net,com}.
ab...@steephost.com,ab...@steephost.net,postm...@steephost.com,
postm...@steephost.net,sup...@steephost.com,sup...@steephost.net,
hostm...@steephost.com,hostm...@steephost.net,ad...@steephost.com,
ad...@steephost.net
(this file is tagged by Kaspersky as Trojan-Downloader.Win32.Agent.wjo)
==========
[DETAILS:]
SPAM FROM: 84.104.115-78.rev.gaoland.net [78.115.104.84] (may be forged)
Which forged my username in the envelope sender and
forged my email address as the "From:" address.
inetnum: 78.112.0.0 - 78.116.162.255
netname: CEGETEL-INTERNET-RESIDENTIEL
descr: INTERNET RESIDENTIEL CEGETEL France
remarks: abuse-s...@cegetel.net
remarks: sup...@sitadelle.com
SPAM CONTENT: Microsoft MSN Featured Offer
Well, yet another email which I am getting
"... because [I] subscribed to MSN Featured Offers."
(and, no, I did *NOT* subscribe to MSN Featured Offers).
It has, of course, Microsoft's links to remove myself from
their mailings (Unsubscribe), sign up for yet more spam,
sorry, "Feature Offers," (More Newsletters) and a link to
view their privacy policy (Privacy) along with their notice
claiming responsibility ((C)2008 Microsoft,
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052).
They are actually Microsoft's own links! It must be Microsoft!
[a href="http://www.msn.com" target="_blank"]Unsubscribe[/a]
[a href="http://www.msn.com" target="_blank"]More Newsletters[/a]
[a href="http://www.msn.com" target="_blank"]Privacy[/a]
and what an offer Microsoft is giving me - a free video of Angelina Jolie,
[a href="http://195.190.13.98/video-nude-anjelina.avi.exe " target="_blank"]
[img src="http://195.190.13.98/1.gif" border=0 alt="Click Here!"][/a]
(the image has two layers, the main layer being
"Mr. Skin -
the nude celebrity expert!
[image]
See all of Angelina Jolie's
steamiest sex scenes!"
above flashing text (the text is on the main
image and their is another frame, a small white
rectangle to block and reveal it)
"CLICK NOW FOR
FREE ACCESS!").
And unless someone has stolen Microsoft's copyrighted material,
they are offering me a chance to get:
SPAM CONTENT [image]: http://195.190.13.98/1.gif
SPAMVERTIZED URL: http://195.190.13.98/video-nude-anjelina.avi.exe
'[a href="http://195.190.13.98/video-nude-anjelina.avi.exe " target="_blank"]
[img src="http://195.190.13.98/1.gif" border=0 alt="Click Here!"][/a]'
The image has two layers, the main layer being
"Mr. Skin -
the nude celebrity expert!
[image]
See all of Angelina Jolie's
steamiest sex scenes!"
above flashing text (the text is on the main
image and their is another frame, a small white
rectangle to block and reveal it)
"CLICK NOW FOR
FREE ACCESS!".
What is the file?
* Connected to 195.190.13.98
GET /video-nude-anjelina.avi.exe HTTP/1.1
Host: 195.190.13.98
HTTP/1.1 200 OK
Server: Apache/2.2
Content-Length: 149504
Content-Type: application/x-msdownload
a simple "video-nude-anjelina.avi" AVI file ... oops, there
is that extra pesky extension, ".exe", at the end.
This was submitted to VirusTotal.com earlier today and their
report:
First received: 07.16.2008 16:18:47 (CET)
showed:
Antivirus Version Last Update Result
--------- ------- ---- ------ ------
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XPACK.Gen
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Trojan.Packed.573
eSafe - - Suspicious File
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - Trojan.Crypt.XPACK
Kaspersky - - Trojan-Downloader.Win32.Agent.wjo
McAfee - - -
Microsoft - - -
NOD32v2 - - a variant of Win32/TrojanDropper.Small.NHU
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - Packed.Generic.57
TheHacker - - -
TrendMicro - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XPACK.Gen
Additional information
MD5: f4aa742077659b9a4f804d6a3e2934b5
SHA1: 0ba573d56ef43220fba2988f7d58800499738344
SHA256: b0305984282a3b753ec318a347e91dc9dc9b923222028f74801c6d7d3d3ab5d9
(unrecognized by McAfee and Microsoft)
It seems that Microsoft is offering me a TROJAN! hosted at
IP address 195.190.13.98
------------------------
inetnum: 195.190.13.0 - 195.190.13.255
netname: SteepHost-DC-UA
descr: SteepHost.COM Datacentre Allocation
abuse-mailbox: ab...@steephost.com
Address 195.190.13.98 maps to 98.13.190.195.unknown.SteepHost.Net
13.190.195.in-addr.arpa has SOA hostm...@steephost.net
------------------------
===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]
Return-Path: <_MY_USE...@lycos.de>
Received: from design31-14220a (84.104.115-78.rev.gaoland.net [78.115.104.84] (may be forged))
by _my_isp_ (xxx) with SMTP id m6FEDY54031427
for <_my_email_address_>; Tue, 15 Jul 2008 10:13:40 -0400 (EDT)
(envelope-from _MY_USE...@lycos.de)
Date: Tue, 15 Jul 2008 10:13:34 -0400 (EDT)
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Message-Id: <20080715051339.26003.qmail@design31-14220a>
To: <xxx>
Subject: Angelina Jolie's Free Video.
From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="UTF-8"
xxxContent-Transfer-Encoding: 7bit
X-IMAPbase: 1216223299 39
X-UIDL: ]'<"!ZT_"!3j2"!V+%#!
Status: RO
X-Status:
X-Keywords:
X-UID: 4
[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[/head]
[html]
[body]
[tr]
[td class=EC_container bgcolor="#F2F2F2"]
[table cellpadding=0 cellspacing=0 width="100%"]
[tr]
[td]
[div align=center] [a href="http://195.190.13.98/video-nude-anjelina.avi.exe
" target="_blank"][img src="http://195.190.13.98/1.gif" border=0 alt="Click Here!"][/a] [/div]
[/td]
[/tr]
[tr]
[td class=EC_legal]
[strong]About this mailing: [/strong][br]
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe
you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service
advertised. Prices and item availability subject to change without notice.[br][br]
©2008 Microsoft | [a href="http://www.msn.com" target="_blank"]Unsubscribe[/a] | [a href="http://www.msn.com" target="_blank"]More Newsletters[/a] | [a href="http://www.msn.com" target="_blank"]Privacy[/a][br][br]
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
[/td]
[/tr]
[/table]
[/td]
[/tr]
[/table]
[/div]
[/div]
[/div]
[/body]
[/html]
--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/