Another spam run (will they ever end?) this time with a malicious .htm attachment that tries to download from
cpojkjfhotzpod.ru. Here are some examples:
Date: Wed, 21 Feb 2012 07:17:49 +0800
From: "LARUE Riley"
Subject: Fw: Contract from LARUE
Attachments: Contract_Scan_N5005.htm
Good afternoon,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
LARUE Riley, secretary
==========
Date: Wed, 21 Feb 2012 05:17:01 +0700
From: "DELORIS Hensley"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N0395.htm
Dear Customers,
In the attached file I am forwarding you the Translation of the Job Contract
that I have just received yesterday. I am really sorry for the delay.
Best regards,
DELORIS Hensley, secretary
===========
Date: Wed, 21 Feb 2012 09:10:09 +0900
From: "ALISHA MCMILLIAN"
Subject: Fw: Contract from ALISHA
Attachments: Contract_Scan_N67448.htm
Dear Customers,
In the attached file I am transferring you the Translation of the Sales Contract
that I have just received today. I am really sorry for the delay.
Best regards,
ALISHA MCMILLIAN, secretary
==========
Date: Wed, 21 Feb 2012 04:41:45 +0700
From: "Drake Milton"
Subject: Fw: Contract of 09.06.2011
Attachments: Contract_Scan_N7682.htm
Hello,
In the attached file I am forwarding you the Translation of the Purchase Contract
that I have just received a minute ago. I am really sorry for the delay.
Best regards,
Drake Milton, secretary
==========
The malicous payload is on
cpojkjfhotzpod.ru:8080/images/aublbzdni.php which is multihomed on several IP addresses, most of which
we have seen before (and many of which are with
Slicehost). A plain list is at the end for copy-and-pasting.
46.137.251.11 Amazon Data Services, Ireland)
50.31.1.105 (Steadfast Networks, US)
50.57.77.119 (Slicehost US)
50.57.118.247 (Slicehost, US)
50.76.184.100 (Comcast, US)
69.60.117.183(Colopronto, US)
72.22.83.93 (iPower, US)
79.101.30.15 (Serbia Telekom, Serbia)
83.170.91.152 (UK2.NET, UK)
87.120.41.155 (Neterra, Bulgaria)
88.191.97.108 (Free SAS / ProXad, France)
94.20.30.91 (Delta Telecom, Azerbaijan)
95.156.232.102 (Optimate-server, Germany)
98.158.180.244 (VPS.net Atlanta / Hosting Services Inc, US)
125.19.103.198 (Bharti Infotel, India)
125.214.74.8 (Web24 Pty, Australia)
173.203.51.174 (Slicehost, US)
184.106.151.78 (Slicehost, US)
184.106.200.65 (Slicehost, US)
184.106.237.210 (Slicehost, US)
188.165.253.126 (OVH SAS, France)
190.81.107.70 (Telemax, Peru)
199.204.23.216 (ECSuite, US)
200.169.13.84 (Century Telecom Ltda, Brazil)
204.152.221.233 (SystemInPlace, US)
209.114.47.158 (Slicehost, US)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
46.137.251.11
50.31.1.105
50.57.77.119
50.57.118.247
50.76.184.100
69.60.117.183
72.22.83.93
79.101.30.15
83.170.91.152
87.120.41.155
88.191.97.108
94.20.30.91
95.156.232.102
98.158.180.244
125.19.103.198
125.214.74.8
173.203.51.174
184.106.151.78
184.106.200.65
184.106.237.210
188.165.253.126
190.81.107.70
199.204.23.216
200.169.13.84
204.152.221.233
209.114.47.158
210.56.23.100
210.56.24.226