Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)

[Virus Guy]

We have a special edition of our malware links today. Two
American-Airlines ticket receipts, and two DHL package tracking links.

With all this airline flying and package ordering, looks like we're
going to have this economy up and running and back on it's feet in no
time.

=====================
So where are we flying according to sample #1?

Date / Time of Departure: 25 MAY, 2013, 10:21 AM
Flight Time: 09:35
Arriving: Aurora
Seat: 73A/ZONE 2
Total Price: 269.69

Aurora - must be Aurora Illinois, airport code AAR. Not sure if "flight
time" is flight duration. I see that I have seat 73A - must be a really
long airplane. Nice price.

Return-Path: <ph15...@s013-ct-ffm-r01.ec-c.net>
Received: from s013-ct-ffm-r01.ec-c.net ([85.190.10.60])
X-Mailer: PHP/5.2.17

Here's the link:

hxxp://www.skdvikova.lt/images/index.php?get_ticket=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366481724/

File name: Electronic Ticket No.exe
File type: Win32 EXE
Detection ratio: 9/46
Analysis date: 2013-04-20 18:15:24 UTC

Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)

===========================
So where are we flying, according to sample #2?

28 MAY, 2013, 10:37 PM
09:35
Newport News
$270.70
52F/ZONE 1

Ah - Newport News / Williamsburg International Airport (PHP). Funny how
I don't see AA flying to that airport. Must be a code-share. I'm
seated in row 52 - that's a pretty big plane for such a small airport.

Return-Path: <ad...@syrahost.com>
Received: from plesk3.au.syrahost.com ([27.54.90.12])
Subject: Order is processed
From: "Airlines" <sup...@cubs-tickets.com>

Cubs-tickets.com ???

The link:
hxxp://alqayyim.com/images/index.php?get_ticket=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366485945/

Detection ratio: 11/46
Analysis date: 2013-04-20 19:25:45 UTC

Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
Comodo TrojWare.Win32.Trojan.Agent.Gen
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Panda Suspicious file
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)

=============================

And now for a change of pace. My DHL package tracking links. Not sure
what I ordered - let's find out:

Return-Path: <apa...@sv-web02.seso.local>
Received: from mail.securesolutions.at ([77.244.254.76])
Subject: Shipping Information
From: "Support Team" <sup...@airlineposterart.com>
X-Mailer: SayMailSMTP

hxxp://www.k-anastasiou-sa.gr/images/index.php?info=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366486230/

Detection ratio: 11/46
Analysis date: 2013-04-20 19:30:30 UTC

Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
Comodo TrojWare.Win32.Trojan.Agent.Gen
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Panda Suspicious file
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)

And how about another Fake DSL tracking link while we're at it:

hxxp://www.htsmiddelburg.co.za/images/index.php?info=_

Received: from customer ([199.168.97.202])
X-Mailer: MyPHPMailer

Same A/V hits as above.

[David H. Lipman]

From: "Dustin" <cowards....@raidsplace.com>

> Virus Guy <Vi...@Guy.com> wrote in news:51731888...@Guy.com:

>
>> We have a special edition of our malware links today. Two
>> American-Airlines ticket receipts, and two DHL package tracking
>> links.
>

> While your jerking off to virustotal uploads and determining how badly the
> entire AV/AM industry sucks as a result of your super scientific
> studies... Are you submitting ANY of the samples to various
> antivirus/antimalware companies? Most of the ones I know of are happy to
> accept new samples from people.
>
> You would be far more productive doing that. You're wasting time posting
> these virus total scan results on malware samples you get.

>
>> With all this airline flying and package ordering, looks like we're
>> going to have this economy up and running and back on it's feet in no
>> time.
>

> Sadly no. We have too many people with your critical thinking abilities
> making the major decisions. We're all fucked.
>

Let him post. It makes him happy.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

[Virus Guy]

"David H. Lipman" wrote:

> Let him post. It makes him happy.

Dave -

Why won't you answer the question as to whether or not Virus-Total feeds
the samples it receives back to the various AV companies who's software
is running on the site?

Or don't you know the answer to that question?

[David H. Lipman]

From: "Virus Guy" <Vi...@Guy.com>

I didn't read the question.

VT does in fact provide all samples to participating vendors.

[Jax]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:cKednRC_S7frqe7M...@giganews.com:

> From: "Dustin" <cowards....@raidsplace.com>
>
>> Virus Guy <Vi...@Guy.com> wrote in news:51731888...@Guy.com:
>>
>>> We have a special edition of our malware links today. Two
>>> American-Airlines ticket receipts, and two DHL package tracking links.
>>
>> While your jerking off to virustotal uploads and determining how badly the
>> entire AV/AM industry sucks as a result of your super scientific
>> studies... Are you submitting ANY of the samples to various
>> antivirus/antimalware companies? Most of the ones I know of are happy to
>> accept new samples from people.
>>
>> You would be far more productive doing that. You're wasting time posting
>> these virus total scan results on malware samples you get.
>>
>>> With all this airline flying and package ordering, looks like we're
>>> going to have this economy up and running and back on it's feet in no
>>> time.
>>
>> Sadly no. We have too many people with your critical thinking abilities
>> making the major decisions. We're all fucked.
>>
>
> Let him post. It makes him happy.

Mike do you believe Dustin can do the following? I don't! :)

"I can make google take you to any set of posts from anyone I want"

Posted in message <XnsA1AA906B6A03CB7Z317AGDTEHHI8AJ283@no>

--
Jax

[Virus Guy]

Jax wrote:

> > Let him post. It makes him happy.
>
> Mike do you believe Dustin can do the following? I don't! :)

Mike?

Who is Mike?

[James W. Anderson]

Zscaler misses some of this.

http://zulu.zscaler.com/submission/show/656bc359c591dc230f4932d439ccc8cd-1367553246

http://zulu.zscaler.com/submission/show/7215102cd877a532702e5278a278d439-1367553350
(shows site is 404)

http://zulu.zscaler.com/submission/show/0340e65c8378bf2b6bb283dbc5537513-1367553485
(shows redirect to http://www.admiralcomputers.com/default/index.html)

Zscaler finds nothing fishy about any of these, all are from this
thread. They claim to use blacklists and other sources to aid in
Zulu's parsing and analysis of URLs to determine the contents of a
given site, as this shows, it doesn't work most of the time.

[Thane]

I've had similar issues with zscaler on other URL's. Many of the
airlines spammer payloads were identified as benign.

Thane