Another fake "contract" spam leading to malware, hosted on chredret.ru .
Date: Tue, 27 Dec 2011 06:06:18 +0700
From: "Destinee Mills"
Subject: The variant of the contract you've offered has been delcined.
After our legal department studied this contract carefully, they've noticed the following mismatches with our previous arrangements. We've composed a preliminary variant of the new contract, please study it and make sure that all the issues are matching your interests
NEW_Contract.doc 44kb
With best wishes
Destinee Mills
Another name used on the spam is "Ramiro Howell", although there are probably hundreds of fake names. The malicious payload is at chredret.ru/main.php, hosted on
46.249.37.22 (Serverius Holding BV, Netherlands). This is the second "
redret" domain in this /24, so blocking
46.249.37.0/24 might be prudent.
No comments:
Post a Comment