Sponsored by..

Sunday, 6 April 2014

"Produce & Information" / Media Trade Company spam

This spam email links to a malicious file:
From:     Media Trade info@mediatrade.com
Reply-To:     ourmediatrade@yahoo.com
Date:     6 April 2014 16:26
Subject:     Produce & Information

Good Day

How are you today?
This is Media Trade Company, we have interest in your product. And our company is planing on placing an order with your company, Please open and click on the pdf icon to see the attached document of our produce information and company details.

Thank you and have a nice day

Best regards

Attached is a file Our Produce Info.html which in turn contains a link to [donotclick]surevilla.h19.ru/Our%20Produce%20Info.exe hosted on (Agava Ltd, Russia). This IP address is suspected of badness and blocking it would be an prudent idea, alternatively you could block the dynamic DNS domain of h19.ru which is being abused in this case.

The malicious file has a detection rate of 25/51 at VirusTotal with some indication that this is either a variant of Zbot or some sort of ransomware. The Malwr analysis shows some sort of download taking place from [donotclick]ourdailyshopping.com/images/win/check/file.php hosted on Also, the Anubis analysis gives an idea as to the files created.

Of interest, this IP of belongs to a company I have never heard of called International Widespread Services Limited aka IWS Networks Ltd of the UAE. They also provide the mail relay used in the spam which is

Recommended blocklist:

I would also recommend that you consider blocking the domain h19.ru which may block some legitimate sites but should offer additional protection.

No comments: