Good old 'card waiting' e-mail

  • Thread starter Thread starter Duh_OZ
  • Start date Start date
D

Duh_OZ

Haven't received a greeting card e-mail in quite some time.

Link took me to some html page that lead to:
hxxp://64.60.xxx.xxx/GreetingCardNr0410112528543.flash.exe

Submitted to Virus Total and the ones that reported malware are below:
=============
AntiVir 6.35.0.13 TR/Spy.Banker.fas
Avast 4.7.844.0 Win32:Hidewindows
DrWeb 4.33 Trojan.Flood.22016
Fortinet 2.77.0.0 W32/IrcScorp.A!tr.bdr
Ikarus 0.2.65.0 Backdoor.IRC.Zapchast
Kaspersky 4.0.2.24 not-a-virus:RiskTool.Win32.HideWindows
NOD32v2 1.1607 Win32/HideWindow
=============

IP originated to Telepacific Communication - they have been notified.
 
From: "Duh_OZ" <[email protected]>

| Haven't received a greeting card e-mail in quite some time.
|
| Link took me to some html page that lead to:
| hxxp://64.60.xxx.xxx/GreetingCardNr0410112528543.flash.exe
|
| Submitted to Virus Total and the ones that reported malware are below:
| =============
| AntiVir 6.35.0.13 TR/Spy.Banker.fas
| Avast 4.7.844.0 Win32:Hidewindows
| DrWeb 4.33 Trojan.Flood.22016
| Fortinet 2.77.0.0 W32/IrcScorp.A!tr.bdr
| Ikarus 0.2.65.0 Backdoor.IRC.Zapchast
| Kaspersky 4.0.2.24 not-a-virus:RiskTool.Win32.HideWindows
| NOD32v2 1.1607 Win32/HideWindow
| =============
|
| IP originated to Telepacific Communication - they have been notified.

Based upon the limited detection shown on Virus Total, please send me the REAL URL so I can
make sure all the AV companies recognize this infector.

Just remove ~nospam~ from my posted address.
 
David said:
Based upon the limited detection shown on Virus Total, please send me the REAL URL so I can
make sure all the AV companies recognize this infector.
Click to expand...
Virus Total does send submitted files to the vendors, correct?

Anyway e-mail sent with the URL (still up at this time).

I zipped the file down and sent it to four different e-mail clients(you
can never have too many!) to see if their AV scanners for attachments
would catch it. All failed. One was Trend-Micro, another McAfee,
Norton and oops, I forget the other one D'OH.

Perusing one of the malware names it looks like it was just launched
within the last several days.
 
From: "Duh_OZ" <[email protected]>


| Virus Total does send submitted files to the vendors, correct?
|
| Anyway e-mail sent with the URL (still up at this time).
|
| I zipped the file down and sent it to four different e-mail clients(you
| can never have too many!) to see if their AV scanners for attachments
| would catch it. All failed. One was Trend-Micro, another McAfee,
| Norton and oops, I forget the other one D'OH.
|
| Perusing one of the malware names it looks like it was just launched
| within the last several days.

Samples submitted to Virus Total are *only* provided to participating vendors and they are
not supplied in a priority fashion.

There are many vendors from GEOT and Comodo to Ahnlab that are presently not participating
with Virus Total.
 
On that special day, Duh_OZ, ([email protected]) said...
IP originated to Telepacific Communication - they have been notified.
Click to expand...

This is, what *I* got as a reply


<bounce message>

This is the Postfix program at host xray-d.telepacific.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<[email protected]>: host vipmail3.telepacific.net[64.60.0.235]
said: 553
sorry, your envelope sender is in my badmailfrom list (#5.7.1) (in
reply to
RCPT TO command)

</bounce>

TOL is the largest ISP of Germany, and they block it, because of a
"badmailfrom list". Are they nuts?


Gabriele Neukam

(e-mail address removed)
 
Back
Top