Subject: fw
Subject: hey
Subject: hi
Subject: re
Subject: some jerk has posted your photos
Subject: your photos
The text of the message is:
Hey, some jerk has posted your pictures (u understand what kind of pictures are there) and sent a link of them to all ur friends. I have already replied back. Said, that he is an idiot. See the link:
http://photosbank.aedswer.cz/id1073bv/get.php?email=youremail@yourdomain.com
Tamara Orozco
This is what the website looks like:
Although downloading the "PhotoArchive.exe" file is dangerous - its a Zeus Botnet that's currently only detected by 7 of 40 AV products according to this VirusTotal Report, just visiting the website is also dangerous, because it has a drive-by infector that loads from 109.95.115.36 / usasp22 / in.php
Here are some of the websites that we've seen used to host the malware so far today in the UAB Spam Data Mine:
archive.tygersg.cz
archive.uisaxr.bz
archive.zinnko.co.uk
archive.zinnko.com
archives.aedswer.cz
archives.tyerdert.co.nz
archives.tyerdery.co.uk
archives.uisaxr.bz
archives.zinnko.pl
letitbit.aedswek.cz
letitbit.aedswer.cz
letitbit.tyerdery.co.uk
letitbit.tygersk.com
letitbit.tygersm.cz
letitbit.zinnko.co.uk
letitbit.zinnko.pl
photobank.aedswer.cz
photobank.aedswet.cz
photobank.tyerderi.co.uk
photobank.tygersa.cz
photobank.tygersk.com
photobank.zinnko.cz
photosbank.aedswee.cz
photosbank.tyerdere.co.nz
photosbank.tyerderi.co.nz
photosbank.tyerderi.co.uk
photosbank.tyerdery.co.uk
photosbank.tygersg.cz
photosbank.tygersm.cz
photosbank.zinnko.com
photosbank.zinnko.vc
photoshock.tyerdere.co.nz
photoshock.tyerderi.co.uk
photoshock.tyerdero.co.nz
photoshock.uisaxr.me.uk
photoshock.zinnko.be
photoshock.zinnko.com.pl
photostock.aedswee.cz
photostock.aedswek.cz
photostock.aedswer.cz
photostock.aedswew.cz
photostock.tyerdere.co.nz
photostock.tyerderi.co.uk
photostock.uisaxr.me.uk
photostock.zinnko.co.uk
photostock.zinnko.com
photostock.zinnko.com.pl
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.