| View previous topic :: View next topic |
| Author |
Message |
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 18 Jun 2013
Posts: 10277
Location: sunny California
|
 Posted: Thu Aug 06, 2009 5:03 pm Post subject: "Crucial Windows Update" spam |
 |
|
I've gotten 3 or 4 of these today.
Subject: Crucial Windows Update
| Quote: |
Dear Microsoft Windows Customer
A Critical Update is available for your version of Windows. Click here to begin installation hxxp://king.cd/(random series of 4-5 alphanumeric characters)
Thank you for your cooperation, protecting our customers is our number one priority.actinometerbough
Regards,
Microsoft Windows Support Agent #52
deliverancealeckvenereal |
Header
| Quote: |
Return-Path: <codicil9@microsoft.org>
Delivered-To: <removed>
Received: (qmail 2506 invoked by uid 399); 7 Aug 2009 00:44:12 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
<mailserver>
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
RDNS_NONE autolearn=disabled version=3.2.5
X-Virus-Scan: Scanned by ClamAV 0.94.2 (no viruses);
Thu, 06 Aug 2009 20:44:14 -0400
Received: from unknown (HELO <mailserver IP> (84.228.246.193)
by <mailserver> with ESMTP; 7 Aug 2009 00:44:12 -0000
X-Originating-IP: 84.228.246.193
Received-SPF: fail (SPF record at microsoft.org does not designate 84.228.246.193 as permitted sender)
identity=mailfrom; client-ip=84.228.246.193;
envelope-from=<codicil9@microsoft.org>;
From: "Microsoft Windows Support" <garrett5@microsoft.org>
To: <removed>
Subject: Crucial Windows Update
Date: Fri, 07 Aug 2009 02:37:28 +0200
Message-Id: <EmanuelautumnalGilbert@centrifuge>
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit |
Anyone else seeing this? They appear to be coming from a different IP each time.
I googled king.cd and nothing useful comes up. The URL looks like it could be something from a service like tinyurl or bit.ly.
Just checked it on web-sniffer.net and it's a direct link to a file on rapidshare named Microsoft_FrameworkUpgrade.exe.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
 |
Angoid
Expert Developer
Joined: 08 Dec 2006
Last Visit: 09 Mar 2013
Posts: 87
Location: Notts, UK
|
| Posted: Fri Aug 07, 2009 4:49 am Post subject: |
|
|
Yes, I received one a few days ago but just deleted it on sight.
Should have thought to come here and post the headers so others could see.......
_________________
If you don't know what eschatology is then don't worry; it's not the end of the world. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 18 Jun 2013
Posts: 10277
Location: sunny California
|
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Fri Aug 07, 2009 10:36 am Post subject: |
|
|
I checked my spam collection, but all I could find was a similar campaign that dates back to the end of June.
the sender machine 84.228.246.193 is a zombified enduser machine in Israel.
More interesting is the spamvertised domain king.cd
[olliver@tabidachi ~]$ host king.cd
king.cd has address 76.73.38.158
Host king.cd not found: 2(SERVFAIL)
Host king.cd not found: 2(SERVFAIL)
(the error message means that two name servers are no longer functional)
| Quote: |
network:Auth-Area:76.73.0.0/17
network:Class-Name:network
network:OrgName:Ercan Yaris
network:OrgID;I:DNS-NEVEREXISTNET
network:Address:Karaman Mah. 1478 Ada. Bina No
network:City:Sakarya
network:StateProv:N/A
network:PostalCode:54100
network:Country:TR
network:NetRange:76.73.38.152-76.73.38.159
network:CIDR:76.73.38.152/29
network:NetName:DNS-NEVEREXISTNET
network:OrgAbuseHandle:FDCservers Customer
network:OrgAbuseName:Ercan Yaris
network:OrgAbusePhone:+905554902529
network:OrgAbuseEmail:dns@neverexist.net
network:OrgNOCHandle:NOC1402-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-913-9304
network:OrgNOCEmail:support @ fdcservers.net
network:OrgTechHandle:PKR5-ARIN
network:OrgTechName:Petr Kral
network:OrgTechPhone:+1-312-933-1046
network:OrgTechEmail:petr @ fdcservers.net |
I wonder how "Ercan Yaris" can be notified via email, when the domain "neverexist.net" isn't even registered...
O. |
|
| Back to top |
|
|
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 31 May 2013
Posts: 842
Location: Tyne & Wear, UK
|
| Posted: Fri Aug 07, 2009 10:55 am Post subject: |
|
|
I've received several more of these since writing the blog entry, and king.cd is back online  (came back yesterday). Thankfully, RapidShare seems to have deleted all of the files I've been lead toward.
_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 18 Jun 2013
Posts: 10277
Location: sunny California
|
| Posted: Fri Aug 07, 2009 12:26 pm Post subject: |
|
|
Good to know the files have been deleted.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
|
