dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
18988
share rss forum feed

MGD
Premium,MVM
join:2002-07-31
kudos:9

1 recommendation

[Spam] Western Union Transfer MTCN: 1848485571 [ZIP FILE VIRUS]

Have not seen one of these in a while:




quote:
From: "Western Union" onley@synetron.com

Date: Mon, 11 May 2009 19:15:46 +0100

Subject: Western Union Transfer MTCN: 1848485571

Dear Client!

The money transfer you have sent on the 9th of March wasn't received by the recipient.
According to the Western Union treaty the transfers which are not collected in 15 days are to be returned to sender.
To collect cash you need to print the invoice attached to this mail and visit the nearest Western Union branch.

Thank you!

[myisp.net : nospam]
[EMAILID: F54MTOFT2VTS5AV_email@myisp.net]
[TIME:20090511171546]

------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: application/zip;
name="MTCN_NR8621982.zip"


Zip attachment unzips to MTCN_NR8621982.exe, even went to the trouble of creating a fake office icon:




Virus total showed a previous submit yesterday, a fresh analysis has ~ 45% detection:




Ref:»www.virustotal.com/analisis/bb80···26f969dd

Sunbelt Sandbox report: »research.sunbelt-software.com/pa···f647e6f2 shows under network activity that connections are made to bklinkov.ru hosted at IP 91.212.158.5 and subsequent connections direct to IP 91.212.158.6

Excerpt:





domain: BKLINKOV.RU 91.212.158.5
type: CORPORATE
nserver: ns1.bklinkov.ru. 91.212.158.5
nserver: ns2.bklinkov.ru. 91.212.158.5
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 928 7867612
e-mail: sharan812@yandex.ru
registrar: NAUNET-REG-RIPN
created: 2009.05.04
paid-till: 2010.05.04
source: TC-RIPN


Not sure why the report shows the IP location as the UK, rather than the Ukraine. Though AS49158 may have been recently altered.


IP Information for 91.212.158.5 & 91.212.158.6
.
IP Address: 91.212.158.5 BKLINKOV.RU
IP Information for 91.212.158.5
IP Location: United Kingdom Eu-zz
IP Address: 91.212.158.5
Blacklist Status: Clear
.
Whois Record
inetnum: 91.212.158.0 - 91.212.158.255
netname: Nice-NET
descr: Nice LTD
country: UA
org: ORG-NL119-RIPE
admin-c: OC971-RIPE
tech-c: OC971-RIPE
status: ASSIGNED PI
remarks: abuse mailbox:
mnt-by: RIPE-NCC-END-MNT
mnt-by: MNT-NICELTD
mnt-lower: RIPE-NCC-END-MNT
mnt-routes: MNT-NICELTD
mnt-domains: MNT-NICELTD
source: RIPE # Filtered
.
organisation: ORG-NL119-RIPE
org-name: Nice LTD
org-type: OTHER
address: 03148, Kyiv, Vasil Verhovinca st., 10-A-437, Ukraine
mnt-ref: MNT-NICELTD
mnt-by: MNT-NICELTD
source: RIPE # Filtered
.
person: Oleg Cherniy
address: 03148, Kyiv, Vasil Verhovinca st., 10-A-437, Ukraine
phone: +38 044 586 43 67
nic-hdl: OC971-RIPE
abuse-mailbox:
mnt-by: MNT-NICELTD
source: RIPE # Filtered
.
route: 91.212.158.0/24
descr: NNCNT route
remarks: please send abuses on: abuse@nnc.in.ua
origin: AS49158
mnt-by: MNT-NICELTD
source: RIPE # Filtered


Traceroute:




Raw email:

 
Return-Path: <onley@synetron.com>
X-Original-To: email@myisp.net
Delivered-To: email@myisp.nett
Received: from mx1.myisp.net (unknown [myisp.net])
by mail.myisp.net (Postfix) with ESMTP id 88DD71120035;
Mon, 11 May 2009 17:17:55 +0000 (UTC)
Received: from localhost (unknown [127.0.0.1])
by mx1.myisp.net (Postfix) with ESMTP id 5A7EE518363;
Mon, 11 May 2009 13:17:55 -0400 (EDT)
X-Virus-Scanned: by amavisd-new at myisp.net
X-Spam-Flag: NO
X-Spam-Score: 2.001
X-Spam-Level: **
X-Spam-Status: No, score=2.001 tagged_above=-10 required=4
tests=[BAYES_50=0.001, RCVD_IN_UCEPROTECT2=1.5,
RCVD_IN_UCEPROTECT3=0.5] autolearn=no
Received: from g227163205.adsl.alicedsl.de (g227163205.adsl.alicedsl.de [92.227.163.205])
by mx1.myisp.net (Postfix) with ESMTP id CE1FF518244;
Mon, 11 May 2009 13:17:22 -0400 (EDT)
Received: from 92.227.163.205 by server78.appriver.com; Mon, 11 May 2009 19:15:46 +0100
Message-ID: <000d01c9d25c$1fb43de0$6400a8c0@onley>
From: "Western Union" <onley@synetron.com>
To: <email@myisp.net>
Subject: Western Union Transfer MTCN: 1848485571
Date: Mon, 11 May 2009 19:15:46 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0006_01C9D25C.1FB43DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-UIDL: >AA"!F9G!!)EV!!@d#"!
 
This is a multi-part message in MIME format.
 
------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: text/plain;
format=flowed;
charset="us-ascii";
reply-type=original
Content-Transfer-Encoding: 7bit
 
Dear Client!
 
The money transfer you have sent on the 9th of March wasn't received by the recipient.
According to the Western Union treaty the transfers which are not collected in 15 days are to be returned to sender.
To collect cash you need to print the invoice attached to this mail and visit the nearest Western Union branch.
 
Thank you!
 
[myisp.net : nospam]
[EMAILID: F54MTOFT2VTS5AV_email@myisp.net] 
[TIME:20090511171546]
 
------=_NextPart_000_0006_01C9D25C.1FB43DE0
Content-Type: application/zip;
name="MTCN_NR8621982.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="MTCN_NR8621982.zip"
 
.

MGD


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6

Re: [Spam] Western Union Transfer MTCN: 1848485571 [ZIP FILE VIR

There are a few items that might provide some forensic value, if you think the effort is warranted.
It is interesting that the actor(s) took the effort to change the icon on an exe that wasn't able to detect that it was being run in a sandbox.

MGD
Premium,MVM
join:2002-07-31
kudos:9

2 recommendations

I was surprised that it received such a low Bayes score on the filter, plus sailed through the mail server's AV. On the default file settings of most win machines the exe extension will be hidden. Only that icon and the file name will be seen. The curiosity of the recipient will need to exceed the only warning about running an exe when clicked to open, for the ruse to work. It is possible that AV's may catch it as sometimes Virus Total's results are on the low side, though the catch rate on the original was 16 versus 18 on my submit a day later.

Let me know if you want a copy of the zip

MGD


madylarian
The curmudgeonly
Premium
join:2002-01-03
Parkville, MD
I, too, got that one today, though it was blocked and dumped by BitDefender. It was quite a shock to see anything get that far since I have my spam tolerance set very low (2.5 out of 10 on a proprietary version of SpamAssassin).

mady
--
Honi soit qui mal y pense

garys_2k
Premium
join:2004-05-07
Farmington, MI
reply to MGD
I know a Nigerian lad that would LOVE to finally get his MTCN transfer sorted out. That would be just perfect for him!


amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
kudos:9
reply to MGD
said by MGD:

I was surprised that it received such a low Bayes score on the filter, plus sailed through the mail server's AV. On the default file settings of most win machines the exe extension will be hidden. Only that icon and the file name will be seen. The curiosity of the recipient will need to exceed the only warning about running an exe when clicked to open, for the ruse to work. It is possible that AV's may catch it as sometimes Virus Total's results are on the low side, though the catch rate on the original was 16 versus 18 on my submit a day later.

Let me know if you want a copy of the zip

MGD
I had some of those Hallmark ecards start getting thru different filters thru different accounts last week and contacted the AV companies [all] as well as the folks at dslr where it got thru their filters as well.

Not too many reports of that email getting to the masses after the time I spent alerting multiple contacts about it being 'allowed' as hallmark.com as sender even with headers and sender from Romanian IPs.

REPORT, REPORT, REPORT.
--
Proud Member of ASAP
DSLR Phishtracker