Sponsored by..

Thursday 23 February 2012

HP OfficeJet spam / cruoinaikklaoifpa.ru and upjachkajasamns.ru

This isn't from a HP OfficeJet, the attachment leads to malware..

Date:      Thu, 22 Feb 2012 05:04:38 +0700
From:      scanner@victimdomain.com
Subject:      Fwd: Re: Scan from a Hewlett-Packard Officejet #19152659
Attachments:     HP_Officejet_02-23_OFCJET88353.htm

Attached document was scanned and sent

to you using a Hewlett-Packard HP OfficeJet 34612A.

Sent by: FELICE
Images : 0
Attachment Type: .HTML [Internet Explorer]

HP Officejet Location: --

The .htm file attempts to redirect the victim to a malicious page at cruoinaikklaoifpa.ru:8080/images/aublbzdni.php and as with this recent spate of ".ru:8080" sites it is multihomed. It then tries to download additional malware from upjachkajasamns.ru:8080/images/jw.php?i=8 on the same IP addresses. The list is pretty similar to this one with a few additions. (Amazon Data Services, Ireland) (Steadfast Networks, US) (Slicehost US) (Slicehost US) (Colopronto, US) (MVN Systems Ltd, Bulgaria) (Serbia Telekom, Serbia) (Free SAS / ProXad, France) (Optimate-server, Germany) (VPS.net Atlanta / Hosting Services Inc, US) (Bharti Infotel, India) (Web24 Pty, Australia) (Universitat Politecnica de Catalunya, Spain) (Slicehost US) (Slicehost US) (Slicehost US) (OVH SAS, France) (Telemax, Peru) (ECSuite, US) (Century Telecom Ltda, Brazil) (SystemInPlace, US) (Slicehost, US) (Commission For Science And Technology, Pakistan) (Commission For Science And Technology, Pakistan)

A plain list for copy-and-pasting:

No comments: