Canadian Pharmacy in Bagdad?

Following on from my earlier experiment with “The Complainerator“, I got a very similar message from myself to myself  again…  It’s the address I used to dig into XIN NET, whose automated systems now seem to think I really, really need some drugs from a Canadian (United Kingdom for me) Pharmacy.

This is the email message as trapped by Mailwasher Pro:

Subject: RE:ci.Doctor Cordero

If you are unable to see the images in this email, please click here. [links to perfecttyres.com/images/img/gif]

ORDER NOW WHILE QUANTITIES LAST!
[Image ignored] [links to muratdedekoyu.com/old/duyuru/images/img]

VIEW PRIVACY POLICY [links to tts-egypt.com/images/jpg/abaut] This email was sent to: xxxxxxxxxxxxx@xxxxxxxxxxxx You have told us you would like to receive exciting e-mail offers from CLICK HERE TO UNSUBSCRIBE [links to badr-karbala.com/images/swichmax/img/jpg] Please allow 24 – 48 hours for processing. Products limited and may sell out at any time. Prices are subject to change.


Mailwasher Pro Ad

AS you can see there are four domains in this short mail.

Domain Server Location Registrant Location Action on Viewing Domain in Browser
perfecttyres.com Florida, USA Haryana, India At first run, went to a Canadian Pharmacy.  Second run five minutes later it redirects to thebigtoplite.cn and quickly switches to perfecttyres.com and a large Flash intro about – tyres!  In IE7 tries to download snapview.ocx
muratdedekoyu.com Konya, Turkey Turkey tries to download a php file called muratdedekoyu_com which looks like a poorly formed webpage for possibly the tyres website above.  It includes some javascript called: “jsrc/sozler.js” which is heavily discussed in Turkish forums
tts-egypt.com New York, USA Cairo Egypt Started as Pharmacy.  Redirects to hostw212.onlinehorizons.net, suspended page now, during tests.
badr-karbala.com Dallas, Texas Bagdad, Iraq Firefox blocks the site. In IE7 tries to download snapview.ocx, freezes it, then IE7 tries to say it’s fishing as it tries to fire up the default address book. Opera opens the page and fires up a duff instance of Adobe Acrobat.  Chrome has best response.  Blocks site and provides a link to here: http://safebrowsing.clients.google.com which gives technical details.

NOD32 didn’t kick in for the download so it assumes there’s no problem code in the package. The Chrome browser info from Google says hundreds of trojans and webpages are connected to the dodgy places in the warning. Ah well!

Everything for me points to XIN NET again because of the mail content and the flash way that the redirects are done.  Dot cn only shows for a split second!

Snapview.ocx is part of the MS Access snapshot viewer.  This format is similar to Adobe PDF which partly explains Opera loading Acrobat Reader into place…The snapview.ocx has a shedload of Google search returns as an ActiveX vulnerability.

By Strangely

Founding member of the gifted & talented band, "The Crawling Chaos" from the North-East of England.