Just got another viral spam from Bell/sympatico IP in the Montreal area:
===========
Return-Path: (heartsxh67@vodafone.com)
Received:
from bell.ca ([174.94.154.30]) by (smtp.$dayjob.com);
Wed, 24 Jul 2013 23:38:29 -0400
Received:
from [43.135.80.72] (helo=eijjjuh.lmugcqcucq.com) by bell.ca with esmtpa
(Exim 4.69) (envelope-from ) id (yada.yada) for me@$dayjob.com;
Wed, 24 Jul 2013 22:38:28 -0500
From: verafrazier@vodafone.com
Subject: MMS id#nnnnnnnn
Date: Wed, 24 Jul 2013 22:38:28 -0500
============
The second received line (indicating the ultimate source IP is 43.135.80.72) is undoubtedly forged.
This spam contained a zip file attachment which unpacked to MMS_IMAGE.jpg.exe, which is identified variously at VirusTotal as:
- TR/Spy.Flarbate.A
- W32/Gamarue.JLXR-9264
- Win32/TrojanDownloader.Wauchos.K
- Downloader.Dromedan
- BKDR_ANDROM.JN
The source IP reverses to MTRLPQ02-2925435422.sdsl.bell.ca (again, Montreal).
Trying that IP:
»
174.94.154.30gives:
===========
Forbidden
You don't have permission to access /UI on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
============