Sponsored by..

Monday 12 March 2012

"Scan from a Xerox W. Pro" spam / cjjasjjikooppfkja.ru

A fairly familiar spam with a malicious attachment:

Date:      Mon, 12 Mar 2012 08:32:11 +0100
From:      "KATELYN NEAL"
Subject:      Fwd: Scan from a Xerox W. Pro #0099345
Attachments:     Xerox_Workcentre_03.08_FZ1820.htm

Please open the attached document. It was scanned and sent

to you using a Xerox WorkCentre Pro.



Sent by: Guest
Number of Images: 1
Attachment File Type: .HTML

WorkCentre Pro Location: machine location not set
Device Name: XRX318AA5BSX3515459
The attachment leads to a malicious page at cjjasjjikooppfkja.ru:8080/images/aublbzdni.php. This domain is multihomed at:

62.85.27.129 (Microlink Latvia Ltd, Latvia)
83.238.208.55 (Netia SA, Poland)
89.218.55.51 (Kazakhtelecom, Kazakhstan)
95.156.232.102 (Optimate-Server, Germany)
111.93.161.226 (Tata Teleservices, India)
118.97.9.60 (Telekomunikasi, Indonesia)
125.19.103.198 (Bharti Infotel, India)
190.81.107.70 (Telmex, Peru)
200.169.13.84 (Century Telecom Ltda, Brazil)
210.56.23.100 (Commission for Science and Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet Inc, Japan)

Plain list:
62.85.27.129
83.238.208.55
89.218.55.51
95.156.232.102
111.93.161.226
118.97.9.60
125.19.103.198
190.81.107.70
200.169.13.84
210.56.23.100
210.109.108.210
211.44.250.173
219.94.194.138

Blocking hese IPs would be a good idea.

No comments: