Following on from my earlier experiment with “The Complainerator“, I got a very similar message from myself to myself again… It’s the address I used to dig into XIN NET, whose automated systems now seem to think I really, really need some drugs from a Canadian (United Kingdom for me) Pharmacy.
This is the email message as trapped by Mailwasher Pro:
Subject: RE:ci.Doctor Cordero
If you are unable to see the images in this email, please click here. [links to perfecttyres.com/images/img/gif]
ORDER NOW WHILE QUANTITIES LAST!
[Image ignored] [links to muratdedekoyu.com/old/duyuru/images/img]
AS you can see there are four domains in this short mail.
|Domain||Server Location||Registrant Location||Action on Viewing Domain in Browser|
|perfecttyres.com||Florida, USA||Haryana, India||At first run, went to a Canadian Pharmacy. Second run five minutes later it redirects to thebigtoplite.cn and quickly switches to perfecttyres.com and a large Flash intro about – tyres! In IE7 tries to download snapview.ocx|
|tts-egypt.com||New York, USA||Cairo Egypt||Started as Pharmacy. Redirects to hostw212.onlinehorizons.net, suspended page now, during tests.|
|badr-karbala.com||Dallas, Texas||Bagdad, Iraq||Firefox blocks the site. In IE7 tries to download snapview.ocx, freezes it, then IE7 tries to say it’s fishing as it tries to fire up the default address book. Opera opens the page and fires up a duff instance of Adobe Acrobat. Chrome has best response. Blocks site and provides a link to here: http://safebrowsing.clients.google.com which gives technical details.
NOD32 didn’t kick in for the download so it assumes there’s no problem code in the package. The Chrome browser info from Google says hundreds of trojans and webpages are connected to the dodgy places in the warning. Ah well!
Everything for me points to XIN NET again because of the mail content and the flash way that the redirects are done. Dot cn only shows for a split second!
Snapview.ocx is part of the MS Access snapshot viewer. This format is similar to Adobe PDF which partly explains Opera loading Acrobat Reader into place…The snapview.ocx has a shedload of Google search returns as an ActiveX vulnerability.