Sponsored by..

Thursday 15 March 2012

"Scan from a Hewlett-Packard ScanJet " malware / dsakhfgkallsjfd.ru

Another malicious spam campaign, this time with an attachment leading to a malware payload at dsakhfgkallsjfd.ru:8080/images/aublbzdni.php

Date:      Thu, 15 Mar 2012 -01:08:49 -0800
From:      scanner@victimdomain.com
Subject:      Re: Fwd: Scan from a Hewlett-Packard ScanJet 92186094
Attachments:     HP_Document-15-905.htm

Attached document was scanned and sent

to you using a Hewlett-Packard ScanJet 56348K.

SENT BY: LAKITA
PAGES : 2
FILETYPE: .HTML [Internet Explorer File]


There's further malicious code at dsakhfgkallsjfd.ru:8080/images/xlhwhrfvfsxubl.php (report here) - the dsakhfgkallsjfd.ru domain is multihomed on the following IP addresses:


62.85.27.129 (Microlink Latvia Ltd, Latvia)
78.83.233.242 (Spectrum, Bulgaria)
78.107.82.98 (Vimpelcom, Russia)
83.238.208.55 (Netia, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
173.203.51.174 (Slicehost, US)
173.203.211.157 (Slicehost, US)
190.81.107.70 (Telmex, Peru)
194.85.97.121 (State Technical University of Saint-Petersburg, Russia)
200.169.13.84 (Century Telecom Ltda, Brazil)
202.149.85.37 (Satata Net, Indonesia)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.56.24.226 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list for copy-and-pasting:
62.85.27.129
78.83.233.242
78.107.82.98
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
173.203.51.174
173.203.211.157
190.81.107.70
194.85.97.121
200.169.13.84
202.149.85.37
209.114.47.158
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

No comments: