[Scspamcop] Re: Spanish on the Fly

Mike Easter MikeE at ster.invalid
Fri Jul 18 04:10:01 EDT 2008 

rooster wrote:
> Mike Easter wrote:
>> rooster wrote:
>>> I was poking about trying to find out what the
>>> spamvertized site  <http://jaav[dot]es> is
>>> supposed to be in aid of.

That isn't the spamvertised pathname.  The payload is here

<munged> http://jaav [dot] es/about.html which is carrying a script to
download watch.exe

>> Maybe there's a clue in the original spam.  Tracker?
>
>
http://www.spamcop.net/sc?id=z2076517921z9eb57f5cd94109dd3747b885e556d005z

The body sez:

Israeli intelligence uncovers plot to kill Tony Blair in latest terror
reports
<munged> http://jaav [dot] es/about.html

... which is to propagate this^1 dropper.

So the spam recipient is supposed to open the spam, be interested in what
it is about, click the link, see that there is a 'youtube' type video
there to watch, click the executable to watch the video and become
infected.


^1 File watch.exe received on 07.18.2008 09:58:23 (CET)

Antivirus;Version;Last Update;Result

  AhnLab-V3;2008.7.17.0;2008.07.18;Win-Trojan/Agent.82944.AG
  AntiVir;7.8.0.68;2008.07.18;TR/Crypt.XPACK.Gen
  Authentium;5.1.0.4;2008.07.18;W32/Downldr2.CGIC
  Avast;4.8.1195.0;2008.07.18;Win32:Trojan-gen {Other}
  AVG;8.0.0.130;2008.07.17;Downloader.Banload.YHT
  BitDefender;7.2;2008.07.18;Trojan.Downloader.Exchanger.Gen.1
  CAT-QuickHeal;9.50;2008.07.17;TrojanDownloader.Agent.vyi
  ClamAV;0.93.1;2008.07.18;Trojan.Dropper-10034
  DrWeb;4.44.0.09170;2008.07.18;Trojan.DownLoader.62005
  eSafe;7.0.17.0;2008.07.17;-
  eTrust-Vet;31.6.5964;2008.07.18;Win32/Collet.CT
  Ewido;4.0;2008.07.17;-
  F-Prot;4.4.4.56;2008.07.18;W32/Downldr2.CGIC
  F-Secure;7.60.13501.0;2008.07.18;Trojan-Downloader.Win32.Agent.vyi
  Fortinet;3.14.0.0;2008.07.18;PossibleThreat
  GData;2.0.7306.1023;2008.07.18;Trojan-Downloader.Win32.Agent.vyi
  Ikarus;T3.1.1.34.0;2008.07.18;Trojan-Downloader.Exchanger.Gen.1
  Kaspersky;7.0.0.125;2008.07.18;Trojan-Downloader.Win32.Agent.vyi
  McAfee;5341;2008.07.18;W32/Nuwar at MM
  Microsoft;1.3704;2008.07.18;TrojanDropper:Win32/Nuwar.gen!ldt
  NOD32v2;3277;2008.07.18;Win32/Agent.ETH
  Norman;5.80.02;2008.07.17;W32/DLoader.IGQH
  Panda;9.0.0.4;2008.07.17;W32/Nuwar.WR.worm
  Prevx1;V2;2008.07.18;Cloaked Malware
  Rising;20.53.41.00;2008.07.18;-
  Sophos;4.31.0;2008.07.18;Mal/EncPk-DA
  Sunbelt;3.1.1536.1;2008.07.17;Trojan-Downloader.Exchanger.Gen.1
  Symantec;10;2008.07.18;Trojan.Pandex
  TheHacker;6.2.96.381;2008.07.16;-
  TrendMicro;8.700.0.1004;2008.07.18;TROJ_AGENT.AKCF
  VBA32;3.12.8.0;2008.07.17;MalwareScope.Worm.Nuwar-Glowa.1
  VirusBuster;4.5.11.0;2008.07.17;Trojan.DL.Exchanger.BB
  Webwasher-Gateway;6.6.2;2008.07.18;Trojan.Crypt.XPACK.Gen


--
Mike Easter
kibitzer, not SC admin

More information about the SCspamcop mailing list