Possible Threat?
Scott
very suspicious. The email source is: <otuot_...@cnbbas.com>
The phone number is always busy.
Any thoughts?
--------------------------------------------------------------
Dear Customer,
OSI Codes Inc. Purchase Receipt and confirmation:
[please read the receipt transaction notice below]
Order Number: 5507333744742-SRE
Amount: $159.95
YOUR ORDER HAS BEEN COMPLETED.
--------------------------------------------------------
Click on the link below to view your invoice Or cancel the order.
http://www.my-osi-codes.net/invoice.html?id=84466147842285816564653
If you feel this is an error. Please click the link above and browse to
'cancel order' link, enter your order number and your purchase will be
cancelled instantly.
--------------------------------------------------------
--------------------------------------------------------
--------------------------------------------------------
YOUR CREDIT CARD STATEMENT WILL BE BILLED AS "OSI CODES" PURCHASE.
--------------------------------------------------------
--------------------------------------------------------
Thank you for choosing OSI Codes Solutions.
Your PURCHASE RECEIPT is attached to this email.
[please read the receipt transaction attached]
Thank you,
OSI Codes Inc.
459 Columbus Ave. 281
New York, New York, 10024
p: (866) 715-4813
f: (866) 637-4819
----------------------------------------------------------------
Thanks!
Scott
Leythos
>
> I received this email from a company I've never heard of. It looks
> very suspicious. The email source is: <otuot_...@cnbbas.com>
>
> The phone number is always busy.
If you didn't order anything and you don't give them ANY information, they
can't really bill you.
Now, if your credit card info was stolen the thieves would have to be
stupid to also use your email address.
Call them on Friday.
--
Want to know what PCBUTTS1 is really about?
*** WARNING - these links contain foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/rlk/rlk.htm ,
http://www.pcbutts1.com/license.htm ,
http://www.pcbutts1.com/downloads/max.htm ,
http://www.pcbutts1.com/downloads/mpv.htm ,
http://www.pcbutts1.com/downloads/wtcpcb.htm ,
http://www.pcbutts1.com/cracks.htm ,
http://www.pcbutts1.com/Loutheasshole.htm
All while spamming his company website at: http://www.seedsv.com
David H. Lipman
Very well could be a threat !
What was attached ?
There are several Trojans that are received in email disguised as receipts, bills or
statements.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Beauregard T. Shagnasty
> From: "Scott" <gol...@uslink.net>
>
>| I received this email from a company I've never heard of. It looks
>| very suspicious. The email source is: <otuot_...@cnbbas.com>
>| <snip>
>| --------------------------------------------------------
>| Click on the link below to view your invoice Or cancel the order.
>| http://www.my-osi-codes.net/invoice.html?id=84466147842285816564653
>
> Very well could be a threat !
>
> What was attached ?
>
> There are several Trojans that are received in email disguised as
> receipts, bills or statements.
The threat appears to be on the web page cited above (which may contain
the OP's unique code tied to his email address - kudos for posting that
to the whole planet <g>). On the page is the line:
"If you want to CANCEL the order please _click_here_ and click on "Open
or Run" when prompted."
Clicking the link attempts to download the file: "cancel order.exe"
which is a 3KB binary. Virustotal didn't find anything, but I sure
wouldn't be executing it.
--
-bts
-Motorcycles defy gravity; cars just suck
Scott
David,
There was no attachment to this email. The threat appears to be on the
web page that you're directed to.
Scott
pcbutts1
--
Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell
"Scott" <gol...@uslink.net> wrote in message
news:45C25EFD...@uslink.net...
Virus Guy
> It's a scam the download link is infected with Win32:Qhost-AI [Trj]
>
That page contains a javascript command that is coded in hex. I have
decoded the hex, but it seems to be a self-modifing piece of code. I
would have thought that this is some sort of code that unpacks itself
to reveal the URL where the file is being hosted, but that doesn't
seem to be the case.
This link does work:
hxxp://www.my-osi-codes.net/cancel%20order.exe
And I think that the actual IP that is serving the file is this:
64.88.212.119
Which is SMARTCOM TELEPHONE, McAllen TX.
The domain MY-OSI-CODES.NET is registered to:
jorge l canales
68 Clearview Drive
Oakdale PA 15071
Regarding the file itself:
It's being id'd by maybe half of the scanners at VT such as:
AntiVir, Avast, BitDefender, Ikarus, Nod32, Norman, Panda, Sophos,
Symantec, VBA32.
It's not being id'd by the others, including Kaspersky.
It's being called these:
Delphi.Downloader.Gen
Qhost-AI
Trojan.Downloader.AEV
Bandok.AE
Others (like Nod, Norman, Panda, Sophos, Symantec) are giving it a
generic name or warning - probably because of how it's packed.
File details:
File size: 55061 bytes
MD5: 703051f38f84dc4ee1d914c2a88b0bce
SHA1: 98bab7ffbf2a79d08823b6b8ccaa42f4557c4abd
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANAL...@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing Unk3!FSG?.
* Creating several executable files on hard-drive.
* Accesses executable file from resource section.
* File length: 55061 bytes.
[ Changes to filesystem ]
* Creates file C:WINDOWS TEMP weby.exe.
* Creates file C:WINDOWS TEMP d.exe.
* Creates file C:gameload.dll.
* Creates file C:WINDOWS msiutil.exe.
* Deletes file c:gameload.dll.
* Creates file C:ali.html.
* Deletes file C:ali.html.
* Creates file C:WINDOWS kbdfi32.dll.
[ Changes to registry ]
* Creates key "HKLMSoftwareMicrosoftActive SetupInstalled
ComponentsMicrosoft Windows Visual V2.0".
* Sets value "StubPath"="C:WINDOWSmsiutil.exe" in key
"HKLMSoftwareMicrosoftActive SetupInstalled ComponentsMicrosoft
Windows Visual V2.0".
* Sets value "Microsoft Windows Visual
V2.0"="__?__?_______?_________?_______?__________" in key
"HKCUSoftwareMicrosoftWindowsCurrentVersion".
* Creates value "Microsoft Windows Visual V2.0"="C:WINDOWSmsiutil.exe"
in key "HKCUSoftwareMicrosoftWindowsCurrentVersionRun".
[ Process/window information ]
* Attemps to NULL C:WINDOWSTEMP\weby.exe NULL.
* Attemps to NULL C:WINDOWSTEMP\d.exe NULL.
* Will automatically restart after boot (I'll be back...).
* Attemps to NULL C:WINDOWSmsiutil.exe NULL.
* Attemps to NULL C:COMMAND.COM /c del C:WINDOWSTEMP\weby.exe>> NUL.
* Modifies other process memory.
* Creates a remote thread.
Ant
>> hxxp://www.my-osi-codes.net/invoice.html?id=84466147842285816564653
>
> That page contains a javascript command that is coded in hex. I have
> decoded the hex, but it seems to be a self-modifing piece of code. I
> would have thought that this is some sort of code that unpacks itself
> to reveal the URL where the file is being hosted, but that doesn't
> seem to be the case.
Indeed. The script seems to be just a hit tracker:
[script defer src="h__p://server1.opentracker.net/?site=osicodes.net"]
[/script]
[noscript]
[img src="h__p://img.opentracker.net/?cmd=nojs&site=osicodes.net" alt="" border="0"]
[/noscript]
> This link does work:
>
> hxxp://www.my-osi-codes.net/cancel%20order.exe
>
> And I think that the actual IP that is serving the file is this:
>
> 64.88.212.119
The site and name servers have a very short TTL and the IP addresses
rotate and change quickly. It's obviously hosted on a botnet
distributed over many ISPs.
Extract from Dig:
;; ANSWER SECTION:
www.my-osi-codes.net. 151 IN A 172.190.253.241
www.my-osi-codes.net. 151 IN A 65.33.140.8
www.my-osi-codes.net. 151 IN A 66.74.197.33
www.my-osi-codes.net. 151 IN A 172.146.15.240
www.my-osi-codes.net. 151 IN A 172.165.132.190
;; AUTHORITY SECTION:
my-osi-codes.net. 172771 IN NS ns2.uiooiyh.biz.
my-osi-codes.net. 172771 IN NS ns3.uiooiyh.biz.
my-osi-codes.net. 172771 IN NS ns4.uiooiyh.biz.
my-osi-codes.net. 172771 IN NS ns5.uiooiyh.biz.
my-osi-codes.net. 172771 IN NS ns1.uiooiyh.biz.
;; ADDITIONAL SECTION:
ns1.uiooiyh.biz. 151 IN A 24.6.160.203
ns2.uiooiyh.biz. 151 IN A 71.203.14.1
ns3.uiooiyh.biz. 151 IN A 24.8.119.199
ns4.uiooiyh.biz. 151 IN A 71.198.47.9
ns5.uiooiyh.biz. 151 IN A 24.8.119.199
ns5.uiooiyh.biz. 151 IN A 66.74.197.33
ns5.uiooiyh.biz. 151 IN A 71.198.47.9
ns5.uiooiyh.biz. 151 IN A 71.203.14.1
ns5.uiooiyh.biz. 151 IN A 24.6.160.203
> Regarding the file itself:
>
> It's being id'd by maybe half of the scanners at VT
I sent it to Virustotal hours ago but have had no reply.
Scott
(Note: I changed http to hssp).
Does this look like the same type of threat?
Thanks!
Scott
------------------------------------------------------------------
Dear Customer,
OSI Codes Inc. Purchase Receipt and confirmation:
[please read the receipt transaction notice below]
Order Number: 77161550826827652462-SRE
Amount: $159.95
YOUR ORDER HAS BEEN COMPLETED.
--------------------------------------------------------
Click on the link below to view your invoice Or cancel the order.
hssp://www.my-osi-codes.net/invoice.html?id=56285147817466386845480
David H. Lipman
| Here's the latest version of this email. I received it today.
| (Note: I changed http to hssp).
|
| Does this look like the same type of threat?
|
| Thanks!
| Scott
|
< snip >
Yes. The same Social Engineering technique to get you infected.