[email] [malware] [Ozdok/Mega-D] (209.175.212.30) Recovery KEYS for your account

3 views
Skip to first unread message

David Ritz

unread,
Nov 4, 2008, 11:25:35 PM11/4/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

dritz@glimmer:~% whois -h whois.cymru.com 209.175.212.30 ; date
AS | IP | AS Name
6325 | 209.175.212.30 | ILLINOIS-CENTURY - Illinois Century Network
Wed Nov 5 04:22:36 UTC 2008

============================================================================
[ Offending message ]
Return-Path: <urb...@blueoxforestry.com>
X-Original-To: x
Delivered-To: x.local
Received: from glimmer.mako.ath.cx (localhost [127.0.0.1])
by glimmer.local (Postfix) with ESMTP id 192EB2703AB8
for <x>; Tue, 4 Nov 2008 20:03:59 -0600 (CST)
Received: from pop.mindspring.com
by glimmer.mako.ath.cx with POP3 (fetchmail-6.3.8)
for <x> (single-drop); Tue, 04 Nov 2008 20:03:59 -0600 (CST)
Received: from noehlo.host ([127.0.0.1])
by wanamaker.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id 1kXxoE4kz3Nl3oJ1; Tue, 4 Nov 2008 20:41:24 -0500 (EST)
Received: from www.eldorado.k12.il.us ([209.175.212.30])
by wanamaker.mail.atl.earthlink.net (EarthLink SMTP Server) with ESMTP id 1kXxow1UA3Nl3oJ1; Tue, 4 Nov 2008 20:41:18 -0500 (EST)
Received: from [209.175.212.30] by sm02.internetmailserver.net; Tue, 4 Nov 2008 19:41:22 -0600
Date: Tue, 4 Nov 2008 19:41:22 -0600
From: "Ferdinand Meeks" <urb...@blueoxforestry.com>
X-Mailer: The Bat! (v3.60.07) Educational
Reply-To: urb...@blueoxforestry.com
X-Priority: 3 (Normal)
Message-ID: <9618________...@blueoxforestry.com>
To: x
Subject: Recovery KEYS for your account
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------ABB4F05E219C3F2"
X-ELNK-Received-Info: spv=1;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=0b; sbw=000;


- ------------ABB4F05E219C3F2
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit

Dear Valued Customer, Dritz

There are the keys to recover your personal account. In order to use them later, please, preserve them in a sure place.

Till next time, Ferdinand Meeks

- ------------ABB4F05E219C3F2
Content-Type: Text/Plain; charset=US-ASCII
X-Content-Type: application/zip; name="the_Keys.zip"
X-Content-Transfer-Encoding: base64
X-Content-Disposition: attachment; filename="the_Keys.zip"

[ The following attachment was DELETED when this message was saved: ]
[ A Application/ZIP (Name="the_Keys.zip") segment of about 26,178 byte ]
[ the_Keys.zip: Trojan.Agent-59561 FOUND (ClamAV) ]
[ >>> Virus 'Mal/EncPk-CZ' found in file the_Keys.zip/The_Keys.doc .exe]
[ >>> Virus 'Troj/Invo-Zip' found in file the_Keys.zip (Sophos) ]
- ------------ABB4F05E219C3F2--
============================================================================
[ SpamCop V2 ]
This message is brief for your comfort. Please use links below for details.

User-targeted report, see notes, if any.
http://www.spamcop.net/w3m?i=z3647119207z5c59b6609c8692db5377624e93af857bz
209.175.212.30 is open proxy, see: http://www.spamcop.net/mky-proxies.html
[ Comments from recipient regarding 209.175.212.30 ]
> dritz@glimmer:~% blq -ant 209.175.212.30 ; date
> 209.175.212.30 : cbl.abuseat.org : BLOCKED (127.0.0.2)
> Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=209.175.212.30
> => This is identified as the Ozdok/Mega-D spambot
> 209.175.212.30 : zen.spamhaus.org : BLOCKED (127.0.0.4)
> http://www.spamhaus.org/query/bl?ip=209.175.212.30
> 209.175.212.30 : bl.spamcop.net : BLOCKED (127.0.0.2)
> Blocked - see http://www.spamcop.net/bl.shtml?209.175.212.30
> 209.175.212.30 : bl.asnbl.org : BLOCKED (127.0.0.2)
> NO ACCESS for 209.175.212.30 - 209.175.212.30/32 blocked at
> 1225843877 - Spammers must die
> 209.175.212.30 : psbl.surriel.com : BLOCKED (127.0.0.2)
> Listed in PSBL, see http://psbl.surriel.com/listing?ip=209.175.212.30
> 209.175.212.30 : ix.dnsbl.manitu.net : BLOCKED (127.0.0.2)
> Spam sent to the mailhost mxg.netcologne.de was detected by NiX
> Spam at Tue, 04 Nov 2008 19:57:57 +0100, see
> http://www.dnsbl.manitu.net/lookup.php?value=209.175.212.30
> 209.175.212.30 : dnsbl-1.uceprotect.net : BLOCKED (127.0.0.2)
> IP 209.175.212.30 is UCEPROTECT-Level 1 listed. See
> http://www.uceprotect.net/rblcheck.php?ipr=209.175.212.30
> Wed Nov 5 03:44:42 UTC 2008
>

[ Additional comments from recipient ]
> dritz@glimmer:~/infected% clamscan the_Keys.zip | egrep FOUND\|OK ;
> sweep the_Keys.zip ; date
> the_Keys.zip: Trojan.Agent-59561 FOUND
> >>> Virus 'Mal/EncPk-CZ' found in file the_Keys.zip/The_Keys.doc .exe
> >>> Virus 'Troj/Invo-Zip' found in file the_Keys.zip
> Wed Nov 5 03:10:07 UTC 2008
>
> File the_Keys.zip received on 11.05.2008 04:48:16 (CET)
> Current status: finished
> Result: 14/36 (38.89%)
> Compact Compact
> Print results Print results
> Antivirus Version Last Update Result
> AntiVir 7.9.0.10 2008.11.04 HIDDENEXT/Worm.Gen
> Authentium 5.1.0.4 2008.11.04 W32/Trojan3.HI
> AVG 8.0.0.161 2008.11.05 Pakes.ALL
> ClamAV 0.94.1 2008.11.05 Trojan.Agent-59561
> F-Prot 4.4.4.56 2008.11.04 W32/Heuristic-300!Eldorado
> F-Secure 8.0.14332.0 2008.11.05 Trojan.Win32.Agent.alur
> Ikarus T3.1.1.45.0 2008.11.05 Win32.SuspectCrc
> Kaspersky 7.0.0.125 2008.11.05 Trojan.Win32.Agent.alur
> McAfee 5424 2008.11.04 Generic Malware.a!zip
> Prevx1 V2 2008.11.05 Malicious Software
> SecureWeb-Gateway 6.7.6 2008.11.05 Virus.HIDDENEXT/Worm.Gen
> Sophos 4.35.0 2008.11.05 Mal/EncPk-CZ
> Symantec 10 2008.11.05 W32.SillyFDC
> TheHacker 6.3.1.1.138 2008.11.04 W32/Generic!zip-dobleextension
> Additional information
> File size: 25506 bytes
> MD5...: 4d506e977ade84a30bf6b11460151e44
> SHA1..: 5b33dbf523809cae1f6f632e3d6e1fb976a1ea1c
> SHA256: 2ba9a90f2816076ebbbeeaf11c3bb4ee89021d1bcc325b475437e1b96f5b8322
> SHA512: 17ce943ee58cb8f11d446c40768636ca015807415205005db1878acc52536a74002e0953532f1ef127db0c9128fc6738769628b724913950a08211b270391e97
> TrID..: File type identification
> ZIP compressed archive (100.0%)
> Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FF3F09BA00272030A8510055C352F70004FE0F33
>

- --
David Ritz <dritz+...@mindspring.com>
Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>

iD8DBQFJESA/UrwpmRoS3usRAnwCAKDDjpu4esrBO5HmFmKAz/mYaH3nZwCfTbtx
owvGy1RRNx1dzxyk0chvxfA=
=+6ZB
-----END PGP SIGNATURE-----

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

Reply all
Reply to author
Forward
0 new messages