Broadband Tech > Security > Scam and Phishbusters > [Spam] Western Union Transfer MTCN: 1848485571 [ZIP FILE VIRUS]

[Spam] Western Union Transfer MTCN: 1848485571 [ZIP FILE VIRUS]

quote:

---

From: "Western Union" onley@synetron.com

Date: Mon, 11 May 2009 19:15:46 +0100

Subject: Western Union Transfer MTCN: 1848485571

Dear Client!

The money transfer you have sent on the 9th of March wasn't received by the recipient.
According to the Western Union treaty the transfers which are not collected in 15 days are to be returned to sender.
To collect cash you need to print the invoice attached to this mail and visit the nearest Western Union branch.

Thank you!

[myisp.net : nospam]
[EMAILID: F54MTOFT2VTS5AV_email@myisp.net]
[TIME:20090511171546]

------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: application/zip;
name="MTCN_NR8621982.zip"

---

domain:     BKLINKOV.RU 91.212.158.5
type:       CORPORATE
nserver:    ns1.bklinkov.ru. 91.212.158.5
nserver:    ns2.bklinkov.ru. 91.212.158.5
state:      REGISTERED, DELEGATED
person:     Private Person
phone:      +7 928 7867612
e-mail:     sharan812@yandex.ru
registrar:  NAUNET-REG-RIPN
created:    2009.05.04
paid-till:  2010.05.04
source:     TC-RIPN

IP Information for 91.212.158.5 & 91.212.158.6
.
IP Address:  91.212.158.5 BKLINKOV.RU
IP Information for 91.212.158.5
IP Location:   United Kingdom Eu-zz
IP Address:  91.212.158.5
Blacklist Status:  Clear
.
Whois Record
inetnum:        91.212.158.0 - 91.212.158.255
netname:        Nice-NET
descr:          Nice LTD
country:        UA
org:            ORG-NL119-RIPE
admin-c:        OC971-RIPE
tech-c:         OC971-RIPE
status:         ASSIGNED PI
remarks:        abuse mailbox:
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         MNT-NICELTD
mnt-lower:      RIPE-NCC-END-MNT
mnt-routes:     MNT-NICELTD
mnt-domains:    MNT-NICELTD
source:         RIPE # Filtered
.
organisation:   ORG-NL119-RIPE
org-name:       Nice LTD
org-type:       OTHER
address:        03148, Kyiv, Vasil Verhovinca st., 10-A-437, Ukraine
mnt-ref:        MNT-NICELTD
mnt-by:         MNT-NICELTD
source:         RIPE # Filtered
.
person:         Oleg Cherniy
address:        03148, Kyiv, Vasil Verhovinca st., 10-A-437, Ukraine
phone:          +38 044 586 43 67
nic-hdl:        OC971-RIPE
abuse-mailbox:
mnt-by:         MNT-NICELTD
source:         RIPE # Filtered
.
route:          91.212.158.0/24
descr:          NNCNT route
remarks:        please send abuses on: abuse@nnc.in.ua
origin:         AS49158
mnt-by:         MNT-NICELTD
source:         RIPE # Filtered

 
Return-Path: <onley@synetron.com>
X-Original-To: email@myisp.net
Delivered-To: email@myisp.nett
Received: from mx1.myisp.net (unknown [myisp.net])
by mail.myisp.net (Postfix) with ESMTP id 88DD71120035;
Mon, 11 May 2009 17:17:55 +0000 (UTC)
Received: from localhost (unknown [127.0.0.1])
by mx1.myisp.net (Postfix) with ESMTP id 5A7EE518363;
Mon, 11 May 2009 13:17:55 -0400 (EDT)
X-Virus-Scanned: by amavisd-new at myisp.net
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-10 required=4
tests=[BAYES_50=0.001, RCVD_IN_UCEPROTECT2=1.5,
RCVD_IN_UCEPROTECT3=0.5] autolearn=no
Received: from g227163205.adsl.alicedsl.de (g227163205.adsl.alicedsl.de [92.227.163.205])
by mx1.myisp.net (Postfix) with ESMTP id CE1FF518244;
Mon, 11 May 2009 13:17:22 -0400 (EDT)
Received: from 92.227.163.205 by server78.appriver.com; Mon, 11 May 2009 19:15:46 +0100
Message-ID: <000d01c9d25c$1fb43de0$6400a8c0@onley>
From: "Western Union" <onley@synetron.com>
To: <email@myisp.net>
Subject: Western Union Transfer MTCN: 1848485571
Date: Mon, 11 May 2009 19:15:46 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01C9D25C.1FB43DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-UIDL: >AA"!F9G!!)EV!!@d#"!
 
This is a multi-part message in MIME format.
 
------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: text/plain;
format=flowed;
charset="us-ascii";
reply-type=original
Content-Transfer-Encoding: 7bit
 
Dear Client!
 
The money transfer you have sent on the 9th of March wasn't received by the recipient.
According to the Western Union treaty the transfers which are not collected in 15 days are to be returned to sender.
To collect cash you need to print the invoice attached to this mail and visit the nearest Western Union branch.
 
Thank you!
 
[myisp.net : nospam]
[EMAILID: F54MTOFT2VTS5AV_email@myisp.net] 
[TIME:20090511171546]
 
------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: application/zip;
name="MTCN_NR8621982.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="MTCN_NR8621982.zip"
 

Re: [Spam] Western Union Transfer MTCN: 1848485571 [ZIP FILE VIR

I was surprised that it received such a low Bayes score on the filter, plus sailed through the mail server's AV. On the default file settings of most win machines the exe extension will be hidden. Only that icon and the file name will be seen. The curiosity of the recipient will need to exceed the only warning about running an exe when clicked to open, for the ruse to work. It is possible that AV's may catch it as sometimes Virus Total's results are on the low side, though the catch rate on the original was 16 versus 18 on my submit a day later.

Let me know if you want a copy of the zip

MGD

I, too, got that one today, though it was blocked and dumped by BitDefender. It was quite a shock to see anything get that far since I have my spam tolerance set very low (2.5 out of 10 on a proprietary version of SpamAssassin).

mady
--
Honi soit qui mal y pense

reply to MGD
I know a Nigerian lad that would LOVE to finally get his MTCN transfer sorted out. That would be just perfect for him!

reply to MGD