noelyf
VIP Member
“A very warm invitation to you” email being delivered, courtesy of a mass-spam run
September 17th, 2010
Posted by Craig Schmugar
McAfee Labs has been monitoring a spam run that was launched earlier today. The message is as follows:
Subject: A very warm invitation to you Body:
Hello,
Hope your week has been wonderfull well. I would like to extend a very warm invitation to you to the Verbum Dei Missionary Festival this Sunday, September 19.
With a lot of support and collaboration from groups of people we work with in the Bay Area, an international spread of food
will be served at the festival. Besides the spread, cultural and folkloric performances, music, games for children, and activities will be part of the day’s programme.
This once a year event brings all of our friends and family from around the Bay Area, an expression of the internationality of our community, mission and work here. At the same time, the festival is also a fund-raising initiative open to all, which is important for us in the ongoing Verbum Dei mission here in the Bay Area.
I really look forward to your coming to be able to catch up more. More details are in the attached invitation, I hope the directions woul be helpful in navigating the way to the St. Thomas More parish.
With joy and peace to you,
Collin Vaughan
Attachment: #####vacation.html
(most typically, but can also be many other names, such as #####.xls.html, #####wachovia summons.html, #####randolph-revisedplans.html, and others)
The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.
The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).
The redirect domain displays the standard fake antivirus scanning animated image and subsequent prompt to download an executable:
fake scanning image
download prompt
icon used by executable
The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including (CVE-2007-5659, CVE-2008-2992, CVE-2010-0188)
The payload of these exploits is a password stealing trojan. That trojan copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at startup, for example:
September 17th, 2010
Posted by Craig Schmugar
McAfee Labs has been monitoring a spam run that was launched earlier today. The message is as follows:
Subject: A very warm invitation to you Body:
Hello,
Hope your week has been wonderfull well. I would like to extend a very warm invitation to you to the Verbum Dei Missionary Festival this Sunday, September 19.
With a lot of support and collaboration from groups of people we work with in the Bay Area, an international spread of food
will be served at the festival. Besides the spread, cultural and folkloric performances, music, games for children, and activities will be part of the day’s programme.
This once a year event brings all of our friends and family from around the Bay Area, an expression of the internationality of our community, mission and work here. At the same time, the festival is also a fund-raising initiative open to all, which is important for us in the ongoing Verbum Dei mission here in the Bay Area.
I really look forward to your coming to be able to catch up more. More details are in the attached invitation, I hope the directions woul be helpful in navigating the way to the St. Thomas More parish.
With joy and peace to you,
Collin Vaughan
Attachment: #####vacation.html
(most typically, but can also be many other names, such as #####.xls.html, #####wachovia summons.html, #####randolph-revisedplans.html, and others)
The attachments are all the same and contain an encoded JavaScript, which redirects to a web page on the numerouno-india.com domain.
The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).
The redirect domain displays the standard fake antivirus scanning animated image and subsequent prompt to download an executable:
fake scanning image
download prompt
icon used by executable
The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including (CVE-2007-5659, CVE-2008-2992, CVE-2010-0188)
The payload of these exploits is a password stealing trojan. That trojan copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at startup, for example:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
“{608F1285-57B7-C631-DE51-8A99508CC7A9}” = “C:\Documents and Settings\Administrator\Application Data\Ezudi\oqek.exe”
- This fake av executable was detected by Global Threat Intelligence File Reputation the time of this blogging when running at Very Low sensitivity or higher.
- The 1st stage domain (numerouno-india.com) is rated RED by TrustedSource and SiteAdvisor
- The 2nd stage domains (arestyute.com, and scaner-g.cz.cc) are rated RED by TrustedSource and SiteAdvisor
- The 3rd stage domains (ohmaebahsh.ru and eexiziedai.ru) have been rated RED by TrustedSouce and SiteAdvisor for weeks
- DAT File coverage is being added under the following names:
- PWS-Zbot
- FakeAlert-PE
- JS/Downloader.gen
- JS/FakeAlert-AB.dldr User may download updated signatures using the Extra.dat request page: https://www.webimmune.net/extra/getextra.aspx These are also available in the BETA DATs.