Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

"Crucial Windows Update" spam

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Oct 2014
Posts: 10331
Location: at the beach

PostPosted: Thu Aug 06, 2009 5:03 pm    Post subject: "Crucial Windows Update" spam Reply with quote

I've gotten 3 or 4 of these today.

Subject: Crucial Windows Update

Quote:
Dear Microsoft Windows Customer

A Critical Update is available for your version of Windows. Click here to begin installation hxxp://king.cd/(random series of 4-5 alphanumeric characters)

Thank you for your cooperation, protecting our customers is our number one priority.actinometerbough

Regards,
Microsoft Windows Support Agent #52
deliverancealeckvenereal


Header
Quote:
Return-Path: <codicil9@microsoft.org>
Delivered-To: <removed>
Received: (qmail 2506 invoked by uid 399); 7 Aug 2009 00:44:12 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
<mailserver>
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
RDNS_NONE autolearn=disabled version=3.2.5
X-Virus-Scan: Scanned by ClamAV 0.94.2 (no viruses);
Thu, 06 Aug 2009 20:44:14 -0400
Received: from unknown (HELO <mailserver IP> (84.228.246.193)
by <mailserver> with ESMTP; 7 Aug 2009 00:44:12 -0000
X-Originating-IP: 84.228.246.193
Received-SPF: fail (SPF record at microsoft.org does not designate 84.228.246.193 as permitted sender)
identity=mailfrom; client-ip=84.228.246.193;
envelope-from=<codicil9@microsoft.org>;
From: "Microsoft Windows Support" <garrett5@microsoft.org>
To: <removed>
Subject: Crucial Windows Update
Date: Fri, 07 Aug 2009 02:37:28 +0200
Message-Id: <EmanuelautumnalGilbert@centrifuge>
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit


Anyone else seeing this? They appear to be coming from a different IP each time.

I googled king.cd and nothing useful comes up. The URL looks like it could be something from a service like tinyurl or bit.ly.

Just checked it on web-sniffer.net and it's a direct link to a file on rapidshare named Microsoft_FrameworkUpgrade.exe.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Angoid
Expert Developer


Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK

PostPosted: Fri Aug 07, 2009 4:49 am    Post subject: Reply with quote

Yes, I received one a few days ago but just deleted it on sight.
Should have thought to come here and post the headers so others could see.......
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world.
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Oct 2014
Posts: 10331
Location: at the beach

PostPosted: Fri Aug 07, 2009 8:14 am    Post subject: Reply with quote

Found it here:

http://hphosts.blogspot.com/2009/08/alert-malicious-microsoft-e-mail-using.html

Let's hope the AV detections have improved since this:
http://www.virustotal.com/analisis/f26de7d6d5cd04927fd4b2f74019e9e68c0aa29df0b72e69ba304ca84f0883fe-1249507230
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Fri Aug 07, 2009 10:36 am    Post subject: Reply with quote

I checked my spam collection, but all I could find was a similar campaign that dates back to the end of June.

the sender machine 84.228.246.193 is a zombified enduser machine in Israel.

More interesting is the spamvertised domain king.cd

[olliver@tabidachi ~]$ host king.cd
king.cd has address 76.73.38.158
Host king.cd not found: 2(SERVFAIL)
Host king.cd not found: 2(SERVFAIL)

(the error message means that two name servers are no longer functional)

Quote:
network:Auth-Area:76.73.0.0/17
network:Class-Name:network
network:OrgName:Ercan Yaris
network:OrgID;I:DNS-NEVEREXISTNET
network:Address:Karaman Mah. 1478 Ada. Bina No
network:City:Sakarya
network:StateProv:N/A
network:PostalCode:54100
network:Country:TR
network:NetRange:76.73.38.152-76.73.38.159
network:CIDR:76.73.38.152/29
network:NetName:DNS-NEVEREXISTNET
network:OrgAbuseHandle:FDCservers Customer
network:OrgAbuseName:Ercan Yaris
network:OrgAbusePhone:+905554902529
network:OrgAbuseEmail:dns@neverexist.net
network:OrgNOCHandle:NOC1402-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-913-9304
network:OrgNOCEmail:support @ fdcservers.net
network:OrgTechHandle:PKR5-ARIN
network:OrgTechName:Petr Kral
network:OrgTechPhone:+1-312-933-1046
network:OrgTechEmail:petr @ fdcservers.net


I wonder how "Ercan Yaris" can be notified via email, when the domain "neverexist.net" isn't even registered...

O.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 20 Sep 2014
Posts: 851
Location: Tyne & Wear, UK

PostPosted: Fri Aug 07, 2009 10:55 am    Post subject: Reply with quote

I've received several more of these since writing the blog entry, and king.cd is back online Wink (came back yesterday). Thankfully, RapidShare seems to have deleted all of the files I've been lead toward.
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 22 Oct 2014
Posts: 10331
Location: at the beach

PostPosted: Fri Aug 07, 2009 12:26 pm    Post subject: Reply with quote

Good to know the files have been deleted.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group