This link goes to malware via baumanmarketing.com (195.78.33.120, Croatia.. most likely a hacked legitimate site) the it goes to billdirect.jiffyinc.com (184.106.64.60, Slicehost UK) until it hits a malware page on 184.82.202.46 (HOSTNOC, US). Originating IP is 111.242.113.138 (HINET, Taiwan). A Wepawet report is available here.
---
From: Damon Mcneill USPS_Shipping_Services@usps.com
To: donotemail@wearespammers.com
Date: 27 March 2012 12:06
Subject: USPS postage labels order confirmation.
Acct #: 9869890 Dear client: This is an email confirmation for your order of 5 online shipping label(s) with postage. We will charge you the following amount: Transaction Number: #7887095 Print Date/Time: 03/13/2012 02:30 AM CST Postage Amount: $23.88 Credit Card Number: XXXX XXXX XXXX XXXX Priority Mail Regional Rate Box B # 1653 4367 1992 2294 3630 (Sequence Number 1 of 1) If you need further information, please log on to www.usps.com/clicknship and go to your Shipping History or visit our Frequently Asked Questions . Refunds for unused postage-paid labels can be requested online up to 14 days after the issue date by logging on to your Click-N-Ship Account. Thank you for choosing the United States Postal Service Click-N-Ship: The Online Shipping Solution Click-N-Ship has just made on line shipping with the USPS even better. New Enhanced International Label and Customs Form: Updated Look and Easy to Use! * * * * * * * * This is a post-only message | |||
3 comments:
I have investigated this. It uses a Java exploit which affects 6 Update 30 or lower using "Pol.jar" on the same IP.
Once that executes the Java downloads a .exe from the same IP and steals passwords and stored certificates on the infected computer. It may do other things but it also appears that the .exe is blocked from running in a Virtual Machine so is making investigation more tedious.
Done more investigating.
Breaking out of java with no user interaction:
http://new.tinygrab.com/f799a659196122b2ca55845edfdb130fbd6f230f31.png
It is the Zbot trojan that steals passwords stored on the system such as Outlook, VPN, internet explorer saved passwords etc.
It modifies your internet settings to reduce security levels.
It seems to use an encrypted p2p system to communicate with its owner.
ANYONE WHO MAY HAVE OPENED THIS EMAIL SHOULD CHANGE ALL PASSWORDS ASAP!
To check if you have this bit of junk look in:
C:\Documents and Settings\USERNAME\Application Data
Using "dir /a" so you see hidden files.
Then look in each sub folder for a single .exe with a random name:
Directory of C:\Documents and Settings\example\Application Data\Arovo
20/01/2012 12:33 DIR .
20/01/2012 12:33 DIR ..
20/01/2012 12:33 262,696 epawsa.exe
1 File(s) 262,696 bytes
2 Dir(s) 11,232,079,872 bytes free
In my case, this was the junk.
Rename this file.
Reboot.
Re-scan with AV software.
Ask an expert if you are unsure.
Further to the above, the folder on Vista / Windows 7 etc.. will be
c:\users\username\appdata\roaming
Post a Comment