We have a special edition of our malware links today. Two
American-Airlines ticket receipts, and two DHL package tracking links.
With all this airline flying and package ordering, looks like we're
going to have this economy up and running and back on it's feet in no
time.
=====================
So where are we flying according to sample #1?
Date / Time of Departure: 25 MAY, 2013, 10:21 AM
Flight Time: 09:35
Arriving: Aurora
Seat: 73A/ZONE 2
Total Price: 269.69
Aurora - must be Aurora Illinois, airport code AAR. Not sure if "flight
time" is flight duration. I see that I have seat 73A - must be a really
long airplane. Nice price.
Return-Path: <
ph15...@s013-ct-ffm-r01.ec-c.net>
Received: from
s013-ct-ffm-r01.ec-c.net ([85.190.10.60])
X-Mailer: PHP/5.2.17
Here's the link:
hxxp://
www.skdvikova.lt/images/index.php?get_ticket=_
https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366481724/
File name: Electronic Ticket No.exe
File type: Win32 EXE
Detection ratio: 9/46
Analysis date: 2013-04-20 18:15:24 UTC
Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)
===========================
So where are we flying, according to sample #2?
28 MAY, 2013, 10:37 PM
09:35
Newport News
$270.70
52F/ZONE 1
Ah - Newport News / Williamsburg International Airport (PHP). Funny how
I don't see AA flying to that airport. Must be a code-share. I'm
seated in row 52 - that's a pretty big plane for such a small airport.
Return-Path: <
ad...@syrahost.com>
Received: from
plesk3.au.syrahost.com ([27.54.90.12])
Subject: Order is processed
From: "Airlines" <
sup...@cubs-tickets.com>
Cubs-tickets.com ???
The link:
hxxp://
alqayyim.com/images/index.php?get_ticket=_
https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366485945/
Detection ratio: 11/46
Analysis date: 2013-04-20 19:25:45 UTC
Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
Comodo TrojWare.Win32.Trojan.Agent.Gen
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Panda Suspicious file
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)
=============================
And now for a change of pace. My DHL package tracking links. Not sure
what I ordered - let's find out:
Return-Path: <apa...@sv-web02.seso.local>
Received: from
mail.securesolutions.at ([77.244.254.76])
Subject: Shipping Information
From: "Support Team" <
sup...@airlineposterart.com>
X-Mailer: SayMailSMTP
hxxp://
www.k-anastasiou-sa.gr/images/index.php?info=_
https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366486230/
Detection ratio: 11/46
Analysis date: 2013-04-20 19:30:30 UTC
Avast Win32:Crypt-OQO [Trj]
ByteHero Trojan.Malware.Obscu.Gen.004
Comodo TrojWare.Win32.Trojan.Agent.Gen
ESET-NOD32 a variant of Win32/Kryptik.AYMJ
Fortinet W32/Dofoil.PHY!tr
GData Win32:Crypt-OQO
Kaspersky Trojan-Downloader.Win32.Dofoil.png
Panda Suspicious file
Sophos Mal/Weelsof-D
VBA32 BScope.Trojan-Dropper.8612
VIPRE Trojan.Win32.Kuluoz.b (v)
And how about another Fake DSL tracking link while we're at it:
hxxp://
www.htsmiddelburg.co.za/images/index.php?info=_
Received: from customer ([199.168.97.202])
X-Mailer: MyPHPMailer
Same A/V hits as above.