dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2645
share rss forum feed


norwegian
Premium
join:2005-02-15
Outback

Jetstar phish

This was detected as a phish but thought it interesting enough to post. For a second I'd thought my luck had changed. :)

Return-Path: migrationse4@jetstar.com
Received: from zim-mta08.web.westnet.com.au (LHLO
 zim-mta08.web.westnet.com.au) (192.168.39.38) by webmail05.westnet.com.au
 with LMTP; Thu, 29 Nov 2012 05:32:57 +0800 (WST)
Received: from inbound-mail04.westnet.com.au (unknown [203.10.1.239])
by zim-mta08.web.westnet.com.au (Postfix) with ESMTP id E75FB5C1DD
for <xxxxx@westnet.com.au>; Thu, 29 Nov 2012 13:31:15 +0800 (WST)
X-Ironport-Incoming: 1
Received: from 3.152.0.109.rev.sfr.net ([109.0.152.3])
  by inbound-mail04.westnet.com.au with ESMTP; 29 Nov 2012 05:32:49 +0800
Received: by 10.58.23.34 with SMTP id j2csp290522vef;
        Wed, 28 Nov 2012 22:33:28 +0100
Received: by 10.50.197.169 with SMTP id iv9mr3813833igc.32.1350718734043;
        Wed, 28 Nov 2012 22:33:28 +0100
Received-SPF: pass (google.com: domain of noreplyitineraries@jetstar.com designates 216.82.255.50 as permitted sender) client-ip=216.82.255.50;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreplyitineraries@jetstar.com designates 216.82.255.50 as permitted sender) smtp.mail=noreplyitineraries@jetstar.com
X-Env-Sender: noreplyitineraries@jetstar.com
X-StarScan-Version: 6.6.1.3; banners=jetstar.com,-,-
X-VirusChecked: Checked
Received: from unknown (HELO sydeqximr01.corp.jetstar.com) (168.134.2.42)
  by server-15.tower-143.messagelabs.com with SMTP; Wed, 28 Nov 2012 22:33:28 +0100
Received: from SYDEQXITN04 (sydeqxitn04.corp.jetstar.com [172.23.145.89])
by sydeqximr01.corp.jetstar.com (Postfix) with ESMTP id DA94058046
for <<xxxxx@westnet.com.au>>; Wed, 28 Nov 2012 22:33:28 +0100
From: Jetstar <noreplyitineraries@jetstar.com>
To: <xxxxx@westnet.com.au>
Date: Wed, 28 Nov 2012 22:33:28 +0100
Subject: Jetstar Flight Itinerary
Message-ID: <20121156589089.DA09698063@sydeqximr01.corp.jetstar.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=a__egvthx_04_78_37"
 

Jetstar Flight Itinerary-5212966918.pdf.zip
»www.virustotal.com/file/85c4e25e···4143986/

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



althecat

@telstraclear.net

I have been infected by this. It is a pretty well presented phish. ESET did not detect the cause and is unable to delete. Whatever I have been infected by is polling....

163.143.90.190:80
mapcake.ru/image.php
173.237.185.166.80
orgnet.pl/image.php

and being blocked.

Any assistance would be greatly appreciated.



norwegian
Premium
join:2005-02-15
Outback

1 edit

That it is.

I have uploaded the .exe and you can see what it affects in this link under the additional information.
»www.virustotal.com/file/db330438···4190577/

A zbot variant is best to be sorted at the »Security Cleanup

Zbot is a known malware, most Anti Virus companies has a link to a zbot removal tool - but still it is worth a visit to the cleanup forum.
This is the Kaspersky utilities page - zbotkiller
»support.kaspersky.com/viruses/utility

Microsoft's specific link to this type of malware
»www.microsoft.com/security/porta···amarue.I
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to althecat

said by :

Any assistance would be greatly appreciated.

I might add, it is quite a nasty and immediately back up your personal data to another drive or external drive and have it scanned off a clean computer and keep it aside before attempting to clean malware such as this if you value data you have on this infected computer.


Canonware

@on.net
reply to norwegian

Received similar.
Might be of interest/comparison:

Return-Path:
Delivered-To: *******@iinet.net.au
Received: (qmail 16255 invoked from network); 10 Dec 2012 03:37:08 -0000
Received: from unknown (HELO icp-osb-irony-in10.external.iinet.net.au) ([203.59.1.209])
(envelope-sender )
by icp-osb-smtp10.iinet.net.au (qmail-ldap-1.03) with SMTP
for ; 10 Dec 2012 03:37:08 -0000
Received: from unknown (HELO p3plsmtp04-01.prod.phx3.secureserver.net) ([72.167.218.159])
by icp-osb-irony-in10.iinet.net.au with ESMTP; 10 Dec 2012 11:37:06 +0800
Received: (qmail 31443 invoked from network); 10 Dec 2012 03:37:05 -0000
Delivered-To: *****
Received: (qmail 31439 invoked by uid 30297); 10 Dec 2012 03:37:05 -0000
Received: from unknown (HELO p3pismtp01-017.prod.phx3.secureserver.net) ([10.6.12.17])
(envelope-sender )
by p3plsmtp04-01.prod.phx3.secureserver.net (qmail-1.03) with SMTP
for ; 10 Dec 2012 03:37:05 -0000
X-IronPort-Anti-Spam-Result: AqjdAPJVxVA97ix+Umdsb2JhbABDAYF0BgFOf2qFFZ1qhiCIFQGIPUoWAwEcUw8BAYI6JQECCg8IOB4CBQEPIwwSGgoFBAEcBI deAw4NnlqGVogmgViCQQGNFQYBi09pFQEFgRABgjZhA4hdjSiBHYoPiB2BVwEBAgUX
X-IP-SPAM: Suspect
Received: from 061238044126.ctinets.com ([61.238.44.126])
by p3pismtp01-017.prod.phx3.secureserver.net with ESMTP; 09 Dec 2012 20:36:22 -0700
Received: from mail.ippayments.com.au ([118.127.87.126]) by SNT0-MC4-F32.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Mon, 10 Dec 2012 11:36:56 +0800
Received: from web4 ([192.168.10.3])
by mail.ippayments.com.au (IceWarp 10.0.0) with SMTP id WJG59027;
Mon, 10 Dec 2012 11:36:56 +0800
Reply-To:
From:
To:
Subject: Jetstar Flight Itinerary
Date: Mon, 10 Dec 2012 11:36:56 +0800
Message-ID: 646b46a1f31ab0280c14b33b26ad9c88
Return-Path: donotreply@reports.jetstar.com
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=a__uslkmoqfyn_46_50_77"


norwegian
Premium
join:2005-02-15
Outback


We are getting dozens of these types of email / exploits.

Banks, Transport-Qld-Govt-Au, Flights, TicketTek, Phone companies etc, I've posted quite a few here already yet they seem to be populating quite a few email addresses more than any other type of spam.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke