For the past few weeks I suppose everyone has had a bit of email spam with this in the “From” and “Subject”:
msnbc.com: BREAKING NEWS:
There then follows a sucker headline which is obviously pants. They all have a spoofed link for http://breakingnews.msnbc.com which points to somewhere else, quite often a html document on the main site page for a photographer or graphics company. There is only the one duff link. All the rest point to Microsoft sites.
A few sites I’ve contacted to let them know that they’ve been hacked – but now I don’t bother – there are too many each day with this particular format.
Agent ETH Trogan as reported by NOD32
Here are a few I’ve had today. The links are not live. Firefox 3 or NOD32 trap all the Trojans but copy and paste the links into a browser at your own risk! (Initially there is a modal dialog box that cannot be cancelled except by Task Manager. Clicking OKAY will try to download the package to your PC. NOD32 identifies it as “a variant of Win32/Agent.ETH trojan“).
| Nonsense Headline | Spoofed Link Destination (manually remove spaces from links) | Destination Type | Holder from a WHOIS |
| Bush ‘Troubled’ by Gay Marriages. Declares San Francisco Part of ‘Axis of Evil’ | srq.dk/ msn_video.html | Hacked site full of broken php and sql | Domain: srq.dk DNS: srq.dk Registered: 2006-08-30 Expires: 2008-08-31 Registration period: 1 year VID: no Status: Deactivated |
| John Mccain Proposes Gay Marriage | thecaviarco.com/ msn_video.html | Dodgy, new or completely hacked site | Registrant: koein Registered through: GoDaddy.com Inc. |
| New Evidence Suggests That The President May Be Drinking Again | www.mobilzeit-daten.de/ msn_video.html | Possible dodgy site or it has been hacked. Even the contact link is an exe file! | Type: ORG Name: MOBILZEIT Address: Poststr. 9 Pcode: 29308 City: Winsen Country: DE Remarks: CID: 6581951/1020 Changed: 2006-12-31T18: 02: 3101: 00 |
| One Hot White Chick Injured in Tsunami Disaster | tamarabdul hadi.com/ msn_video.html | Iraqi-Canadian photograher apparently with a Jordanian site registration! The evil package is dumped straight on the homepage area. | Administrative Contact: enana.com Ali Zayni ali@enana.com 962.795602616 |
| Bush Claims He Has Supernatural Abilities | eliteworkwear uk.co.uk/ msn_video.html | Workwear and other clothing web shopping site. The evil package is dumped straight on the homepage area. | Registrant: Chris Peacock Trading as: Bubble Design and Marketing Registrant type: UK Individual Registrant’s address: Bubble Design Hallcroft Indust Aurillac Way Retford Nottinghamshire DN22 7PX GB |
I use Mailwasher Pro from Firetrust to check through all my mail. I’ve been using it for several years now – since version 4 I think! It shows all mail as plain text (which I advise everyone to do anyway). This is the substance of the last email above, viewed in plain text.
Mailwasher shows all the obfuscated links nicely.
msnbc.com: BREAKING NEWS: Bush Claims He Has Supernatural Abilities
Find out more at http://breakingnews.msnbc.com [links to eliteworkwearuk.co.uk/msn_video.html]
======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/62954182 [links to www.msnbc.msn.com/id/24472415], select unsubscribe, enter the
email address receiving this message, and click the Go button.Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/> [links to privacy.msn.com/])
Added 17/8/8
I’ve also had quite a few emails purporting to be Greetings eCards!
The pattern is the same as the above except usually they don’t even obfuscate the link! This one below, for example, has these properties:
Good day.
You have received an eCardTo pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):http://kkvtombeek.be/e-card.exe
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!We hope you enjoy you eCard.
Thank You!
http://www.greetingcard.org
NOD32 warning for Win32/TrojanDropper.Agent.NMR trojan
The payload according to NOD32 is described as “a variant of Win32/TrojanDropper.Agent.NMR trojan“. The Belgian website looks okay with info, program of events etc. But the exe file is dumped straight in their front door!
Related posts:
- Interesting link
- Hey man, hope all is well Ive included a link of my discussion with one of the original Neve designers,...
- Lets all roll back the M$
- Firefox keeps growing. This is good. I’ve been using it since it was Phoenix 0.6. Innovation, updates, non-integration with core...
- New Virus
- This is a new kind of virus that attaches itself to the master boot record of your OS, it then...
- Photo Gallery Install
- http://youtube.com/watch?v=nm6DO_7px1II’ve started installing some photos in gallery groupings. Currently there’s only the one here although (quim quam), I’ll probably have...
- WordPress internal Post to Page Links don’t work properly
- As part of an update to a page, I found that links from the posts weren’t appearing properly on the...
Pingback: Email Spam Trojan Changes Slightly | Strangely Perfect
Pingback: Google Security to Crawling Chaos and Morals | Strangely Perfect
Pingback: False Invoice E-Mail Spam | Strangely Perfect