Sponsored by..

Tuesday 27 March 2012

USPS Spam / 184.82.202.46

From WeAreSpammers:

This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.

---

From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.

Your USPS delivery
Acct #: 9869890

Dear client:

This is an email confirmation for your order of 5 online shipping label(s) with postage. We will charge you the following amount:

Transaction Number: #7887095
Print Date/Time: 03/13/2012 02:30 AM CST
Postage Amount: $23.88
Credit Card Number: XXXX XXXX XXXX XXXX

Priority Mail Regional Rate Box B # 1653  4367  1992  2294  3630  (Sequence Number 1 of 1)



If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions .

Refunds for unused postage-paid labels can be requested online up to 14 days after the issue date by logging on to your Click-N-Ship Account.

Thank you for choosing the United States Postal Service

Click-N-Ship: The Online Shipping Solution

Click-N-Ship has just made on line shipping with the USPS even better.

New Enhanced International Label and Customs Form: Updated Look and Easy to Use!

* * * * * * * *

This is a post-only message

3 comments:

1 said...

I have investigated this. It uses a Java exploit which affects 6 Update 30 or lower using "Pol.jar" on the same IP.

Once that executes the Java downloads a .exe from the same IP and steals passwords and stored certificates on the infected computer. It may do other things but it also appears that the .exe is blocked from running in a Virtual Machine so is making investigation more tedious.

1 said...

Done more investigating.

Breaking out of java with no user interaction:
http://new.tinygrab.com/f799a659196122b2ca55845edfdb130fbd6f230f31.png

It is the Zbot trojan that steals passwords stored on the system such as Outlook, VPN, internet explorer saved passwords etc.

It modifies your internet settings to reduce security levels.

It seems to use an encrypted p2p system to communicate with its owner.

ANYONE WHO MAY HAVE OPENED THIS EMAIL SHOULD CHANGE ALL PASSWORDS ASAP!

To check if you have this bit of junk look in:
C:\Documents and Settings\USERNAME\Application Data

Using "dir /a" so you see hidden files.

Then look in each sub folder for a single .exe with a random name:
Directory of C:\Documents and Settings\example\Application Data\Arovo

20/01/2012 12:33 DIR .
20/01/2012 12:33 DIR ..
20/01/2012 12:33 262,696 epawsa.exe
1 File(s) 262,696 bytes
2 Dir(s) 11,232,079,872 bytes free

In my case, this was the junk.
Rename this file.

Reboot.

Re-scan with AV software.

Ask an expert if you are unsure.

1 said...

Further to the above, the folder on Vista / Windows 7 etc.. will be
c:\users\username\appdata\roaming