Malware Kuluoz / Asprox botnet - Walmart "Delivery Canceling / "Standard Delivery Failure"

 
The links lead to compromised websites hosting malware - Kuluoz/Asprox downloader
 
 
 
 Microsoft     TrojanDownloader:Win32/Kuluoz.D     20131227
AhnLab-V3     Trojan/Win32.Asprox     20131227
Ikarus     Trojan.Win32.Meredrop     20131227
TheHacker     Posible_Worm32     20131227
Rising     PE:Malware.FakeDOC@CV!1.9C3C     20131227
TrendMicro-HouseCall     PAK_Generic.001     20131227
TrendMicro     PAK_Generic.001     20131227
Sophos     Mal/Weelsof-E     20131227
McAfee     Artemis!465795B5F874     20131227
McAfee-GW-Edition     Artemis!465795B5F874     20131227
 
 
========
From: Walmart <stephanie@carlsbadortho.com>
To: 
Cc:
Date: Fri, 27 Dec 2013 11:24:34 +0700
Subject: Delivery Canceling
Wallmart
 Walmart

     Save money. Live better.
   
Sir/Madam, 

Your order WM-003531744 <http://pryozerne.com/media/06AHX70Cx26BZmm5M/wzYMJYEGMRFi8UpYv05R2aBMo=/WalmartForm>  delivery has failed because the address was not specified correctly. You are advised to fill this form <http://pryozerne.com/media/06AHX70Cx26BZmm5M/wzYMJYEGMRFi8UpYv05R2aBMo=/WalmartForm>  and send it back to us. 


If your reply is not received within one week, you will be paid your money back but 17% will be deducted since you order was booked for Christmas holidays.


2013 Wal-Mart Stores, Inc.

 

Date: Thu, 26 Dec 2013 02:04:18 +0100
From: Walmart <vivian_zb@formosa.sina.net>
To: 
Subject: Standard Delivery Failure
 Walmart
     Save money. Live better.
   
Sir/Madam,

Your order WM-001227458 <http://ag376.us/media/YzzCyDSGYnaWb1/7UQREFk8d7z2iKr7+OC+K8q14uxY=/WalmartForm>
delivery has failed because the address was not specified correctly. You are advised to fill this form and send it back to us.


If your reply is not received within one week, you will be paid your money back but 17% will be deducted since you order was booked for Christmas holidays.
 
 
 
 Envelope From: stephanie@carlsbadortho.com
Envelope To:
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative; boundary="b1_b18cd0f1f5d23290598dd89434faec65"
Date: Fri, 27 Dec 2013 11:24:34 +0700
From: Walmart <stephanie@carlsbadortho.com>
MIME-Version: 1.0
Message-ID: <b18cd0f1f5d23290598dd89434faec65@com>
..
Received: from kitt.3treepoint.com ([216.162.203.106]) by iron3-mx.tops.gwu.edu with ESMTP; 26 Dec 2013 23:24:58 -0500
Received: from sibotakusaiten.ru (62-68-140-214.tomtelnet.ru [62.68.140.214]) by kitt.3treepoint.com with SMTP; Thu, 26 Dec 2013 20:24:39 -0800
x-sender="stephanie@carlsbadortho.com"; x-conformance=spf_only; x-record-type="v=spf1"
..
Reply-To: Walmart <stephanie@carlsbadortho.com>
Return-Path: <stephanie@carlsbadortho.com>

Nigerian scam - ADOPTION

Free babies



From: Mrs. Yuby Dada [mailto:xtrueforever21x@aol.com] 
Sent: Friday, December 20, 2013 2:58 AM
To: 
Subject: ADOPTION.

Hello,
Am Mrs Yuby Dada from Nigeria, I gave birth to triplets 3 babies at a time after the death my husband. I have 8 children birth of triplets in addition to the 5 already from God, I 've decided to give out the triplets for adoption but one of the babies is now adopted remaining two babies with me. If you are interested please reply with your full name, address and cellphone number so I can pass to the lawyer as adoptive parent.
Thanks
Yuby

Password theft - "IT HELP DESK INFORMATION "



From: Ben Van der Werf 
Date: Thursday, December 19, 2013
Subject: RE: IT HELP DESK INFORMATION 
To: Ben Van der Werf <[redacted]@rollins.edu>

Your account safety is our top priority.


Recently, we have detected some unusual activity on your account and as a result,

all email users are urged to update  their email account within 24 hours of receiving this e-mail, using the update link: ITS to confirm that your email account is up to date with the institution requirement. 
< http://outlookowa.twomini.com/index.php >
Do not ignore this message to avoid termination of your web mail account. 

Our apologies for any inconvenience this may have caused, but your account safety and privacy is very important to us.

Thanks for your co-operation.

Yours sincerely,



© Copyright 2013 
Webmaster Admin.
 
 

Password phishing - "Staff and Faculty Mailbox Message!"


From: Skerritt, Cindy
Sent: Tuesday, December 17, 2013 6:17 AM
To: Skerritt, Cindy
Subject: Staff and Faculty Mailbox Message!
Staff and Faculty Mailbox Message!
                           485MB
500MB
 
Staff and Faculty Members mailbox quota size increase.
Automatically increase Quota size by clicking on  Staff and Faculty Member Access-Page 
Fill-out the necessary requirements to automatically increase your mailbox quota size.
 
Additional Info Staff and Faculty Members Only.
Click on Staff and Faculty Access-Page
 
IMPORTANT NOTE: You won't be able to send and receive mail messages at 495MB . 
 
IT Help Desk
ADMIN TEAM
 
©Copyright 2013 Microsoft

Redirects to


Envelope From: CSkerritt@wolcottps.org
Content-Type: multipart/alternative; boundary="_000_eb4e7a1f5623425f9afa130c73759c20MAILwolcottpsorg_"
Date: Tue, 17 Dec 2013 11:54:01 +0000
From: "Skerritt, Cindy" <CSkerritt@wolcottps.org>
In-Reply-To: <FA1E6CC588BBF24E9CD7E718CE2618A21D90C9CF@mail.wolcottps.org>
MIME-Version: 1.0
Message-ID: <eb4e7a1f-5623-425f-9afa-130c73759c20@MAIL.wolcottps.org>
Received: from mail.wolcottps.org ([64.251.54.70])
 envelope-from="CSkerritt@wolcottps.org"; x-sender="CSkerritt@wolcottps.org"; x-conformance=spf_only
 
x-sender="postmaster@mail.wolcottps.org"; x-conformance=spf_only
References: <FA1E6CC588BBF24E9CD7E718CE2618A21D8EEA84@mail.wolcottps.org>,<FA1E6CC588BBF24E9CD7E718CE2618A21D90C9CF@mail.wolcottps.org>
Thread-Index: Ac74BeGSf4dkDzDYQ/m0gx8UZ6LdIwDExM4FAAFlXKE=
Thread-Topic: Staff and Faculty Mailbox Message!
To: "Skerritt, Cindy" <CSkerritt@wolcottps.org>
X-Ipas-Result: AqXWAOM5sFJA+zZGdGdsb2JhbABZgXEGTyNZSQEBCqYfiXKBE4dEgR8WDgEMFQg8gS8BAVkBARkBAQEBAweBAgIBCBEEAQEvMh0IAQEEiBcBQbA3AZgKjj8CAQECEEQGgSEBAloDJyWBYwSJC48LgTCUDoFoAQQCAgsBAQEIASI
X-Ironport-Anti-Spam-Filtered: true
X-Ironport-Anti-Spam-Result: AqXWAOM5sFJA+zZGdGdsb2JhbABZgXEGTyNZSQEBCqYfiXKBE4dEgR8WDgEMFQg8gS8BAVkBARkBAQEBAweBAgIBCBEEAQEvMh0IAQEEiBcBQbA3AZgKjj8CAQECEEQGgSEBAloDJyWBYwSJC48LgTCUDoFoAQQCAgsBAQEIASI
X-Ironport-Av: E=Sophos;i="4.95,501,1384318800"; d="scan'208,217";a="341420848"
X-MS-Has-Attach:
X-MS-Tnef-Correlator:
X-Originating-Ip: [70.38.31.71]



IP:    70.38.31.71
Decimal:    1176903495
Hostname:    70.38.31.71
ISP:    IWeb Technologies
Organization:    IWeb Technologies
Services:    Network sharing device or proxy server
Recently reported forum spam source. (7)
Type:   
Assignment:    Static IP
Blacklist:   
Geolocation Information

Country:    Canada ca flag
State/Region:    Quebec

Password theft - ": AW: Warning ..! Low Storage Space'

From: Denise Gräper <d.graeper@uni-oldenburg.de>
Date: Sat, Dec 7, 2013 at 7:53 AM
Subject: AW: Warning ..! Low Storage Space
To: Denise Gräper <d.graeper@uni-oldenburg.de>


Your e-mail box has reached the maximum limit of storage and your account will be deactivated if you do not update Now. click here, http://www.rockettrailers.com/FormGenerator/use/upgrade/form1.html and follow the instructions to upgrade to more storage. Your account will remain active after you have successfully confirmed your account.

Admin Help desk.
© Copyright 2013


404 error currently on  http://www.rockettrailers.com/FormGenerator/use/upgrade/form1.html

Password phishing from Sycamore International acct - "Monthly Invoice"

 Password phishing from a compromised account at sycamoreinternational.com. The link is currently not working.
 
 =======
From: Mike [redacted] <mike[redacted]@sycamoreinternational.com>
To: undisclosed-recipients:;
Cc: 
Date: Fri, 6 Dec 2013 17:35:26 +0100
Subject: Monthly Invoice
Can you please review the following invoice for payment, follow the invoice link below it will appear the secure sign on page, Login with your email to access the secure invoice pages.
 
 Click here. 

<http://www.reiffco.com/administrator/manifests/libraries/AutoMain/> 
 
 
Thanks.

-- 
Mike
 [redacted]
Purchasing Agent, Sycamore International
Office:
 [redacted] 8434 extension 1
Mobile: 

Password Phishing - "Monthly Invoice" from a Faronics address.


Phishing from a compromised account at Faronics. The link is currently not working


From: Dennis [Redacted] <d[Redacted]@faronics.com>
To: undisclosed-recipients:;
Cc: 
Date: Fri, 6 Dec 2013 17:01:35 +0100
Subject: Monthly Invoice
Can you please review the following invoice for payment, follow the invoice link below it will appear the secure sign on page, Login with your email to access the secure invoice pages.

Dennis [Redacted]
Maintenance Renewals
Faronics

[Redacted]
Connect with me on LinkedIn

Connect with Faronics:
faronics.com/getsocial


Password phishing - Notificación

From: Speedy Equipo < >
Date: 2013/12/5
Subject: Notificación
To: 


https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ2yQfbC9_SUc7xb2qp9WAU59i6-s2SwwXn6Zd61glALWJ-vwPOFg
 
Descubrimos la actividad parecida a un spam en su cuenta de webmail,
que está contra nuestra Política de Uso Aceptable.

Amablemente haga clic aquí para verificar que usted es el dueño de el
considere y no un spammer.
<http://uba.bravesites.com/>

Pedimos perdón por cualquier molestia este puede causarle.

Gracias,
Speedy Equipo

Password phishing - "Kindly Review Documents"

From: Amanda Northcross <amandaln@gmail.com>
Date: December 4, 2013 at 11:05:03 AM EST
To: undisclosed-recipients:;
Subject: Kindly Review Documents

Hello,
I've shared a document with you , please CLICK HERE to sign in with your email to view.
<http://lrtltrtrjytngfgn.fhero.net/googledocsssssss/doc/file.index.htm>


Best regards,
Amanda


Navy Federal bank password phishing - "IMPORTANCE SECURE MESSAGE!"

From: Navy Federal Credit Union <ibanking@noreply_ib.nfcu.com>
To: 
Cc: 
Date: Mon, 02 Dec 2013 15:52:11 +0000
Subject: IMPORTANCE SECURE MESSAGE!

https://www.navyfederal.org/images/structure/nfculogo.png?q=tbn:ANd9GcT7T6NDArZkfCuWPJ-JAT8wjRvQYR3y3idGOdidroyDITz4nopk0HYZyt20
 
 
Dear Valued Customer,

Your Navy Federal Credit Union online internet banking account has

been restricted due to unauthorized transaction.

Click here To Renew  <http://www.kitabkaurindia.org/real/index.html>

Thank you for banking with us.
Sincerely,
Navy Federal Credit Union Bank
 
 

Password phishing - "Do not ignore this message"

From: [redacted] Helpdesk <ayers006@cougars.csusm.edu>
Date: Sun, Dec 1, 2013 at 5:43 PM
Subject: Do not ignore this message
To:


Attention,

An Attempt has been made to login from a new computer. For security 
purposes, we are poised to open a query. Please click here 
to verify your login details. <http://www.muangthai.com/agoda/GroupWise/NovellGroupWise.htm>
Do not ignore this message.
ITS Helpdesk



Upon "login" the form redirects the victim to https://idefix.rz.uni-landau.de/gw/webacc, which is a legitimate webmail site for the University of Koblenz-Landau

Password phishing - "RE: ACCOUNT COMPROMISE NOTIFICATION WARNING !!"

From: , John @ttuhsc.edu>
Date: Fri, Nov 29, 2013 at 8:34 AM
Subject: RE: ACCOUNT COMPROMISE NOTIFICATION WARNING !!
To: "@ttuhsc.edu>

 Dear user,

your Account was login from an unusual location. We prevented the sign-in attempt in case this was an unauthorized access into your account. Please review the login attempt details below:

Friday, 29th November, 2013.
Central Daylight Time (CDT) -0500
UTC Server Address: 72.234.198.59
Location: Honolulu, Hawaii.

 We urge you to immediately follow this secure link below to enable us verify your account.
   
Accountverification <https://secure.blueoctane.net/forms/T2BV2E8LWH2Y>

Sincerely,
IT Services



Nigerian 419 Scam - Microsoft Notification Letter

419 scam from Nigerians/Ghanians  - whoever they are 

Ip to block - 
 41.203.69.1 - Nigeria


awww, flowers
Date:  Sat, 23 Nov 2013 23:58:28 -0500 (ECT)
From:  MICROSOFT® CORPORATION <doracila.sarango@educacion.gob.ec>
To:  undisclosed-recipients:;
Subject:  NOTIFICATION LETTER
Attachments: MICROSOFT® CORPORATION.pdf
MICROSOFT® CORPORATION.rtf

MICROSOFT® CORPORATION Edinburgh Regional Office Microsoft Edinburgh
Waverley Gate
2-4 Waterloo Place
Edinburgh EH1 3EG United Kingdom.

PRODUCT AWARD NOTIFICATION LETTER

On behalf of Microsoft Corporation Edinburgh UK, we wish to notify all our online customers as we celebrate the Microsoft Edinburgh product Award for 2013 and also to congratulate you for emerging as the third (3rd) prize winner in our E-mail Electronic Online Random Selection program Organized for the year 2013 Microsoft Edinburgh Products Award. The Programme is held every year with an aim of encouraging the use of Microsoft Products on the Internet and promote computer literacy worldwide in 2013.

A Cheque will be issued in your name by Microsoft Corporation Board Edinburgh UK, you have therefore been cleared to receive the sum of£850, 000, 00GBP (Eight Hundred And Fifty thousand Great British Pounds Sterling) and a Brand new HCL Mileap L Series Laptop which consequently was staked to be won in the 3rd category. You are advised to e-mail the MICROSOFT EDINBURGH UK Payment Consultant belowwith the following details below for your Claims Personally.

Contact: Foreign Payment Consultant.
Mrs. Audrey Collins  

Provide below information for Your Payment.
.Permanent Residential Address:
.Tel (Mobile):
.Nationality/Country:
.Full Name:
.Age/Sex:
.Private email address:
.Occupation/Position:
.What is your comment On Microsoft Products?

NOTE!!! For security reasons, you are advised to keep your winning information confidential till your claims are processed and your money remitted to you. This is part of our precautionarymeasure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements. Please be WARNED!!!!

Congratulations from the Staffs & Members of Microsoft Board Commission. Derrick McCourt.
Regional Director,
Microsoft Edinburgh, Scotland & Wales at Microsoft Corporation UK.
                                           
                                           ©2013 Microsoft Corporatio


Header


Envelope From: doracila.sarango@educacion.gob.ec
Envelope To:

 Content-Type: multipart/mixed; boundary="----=_Part_908086_2050758738.1385269107821"
Date: Sat, 23 Nov 2013 23:58:28 -0500 (ECT)
From: =?utf-8?Q?MICROSOFT=C2=AE?= CORPORATION <doracila.sarango@educacion.gob.ec>
MIME-Version: 1.0
Message-ID: <2084712122.908089.1385269107910.JavaMail.root@educacion.gob.ec>

Received: from mail.educacion.gob.ec ([200.107.59.148]) 
Received: from localhost (localhost [127.0.0.1]) by mail.educacion.gob.ec (Postfix) with ESMTP id 03E552184D70; Sat, 23 Nov 2013 23:58:34 -0500 (ECT)
Received: from mail.educacion.gob.ec ([127.0.0.1]) by localhost (mail.educacion.gob.ec [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5GEI-GXN27k; Sat, 23 Nov 2013 23:58:28 -0500 (ECT)
Received: from mail.educacion.gob.ec (mail.educacion.gob.ec [10.2.30.119]) by mail.educacion.gob.ec (Postfix) with ESMTP id 027B32184D6D; Sat, 23 Nov 2013 23:58:28 -0500 (ECT)
Reply-To: "anthony.chris210@qq.com" <anthony.chris210@qq.com>
To: undisclosed-recipients:;
X-Ironport-Av: E=Sophos;i="4.93,766,1378872000"; d="pdf'?rtf'212?scan'212,208,212";a="551543629"
X-Mailer: Zimbra 7.2.0_GA_2669 (zclient/7.2.0_GA_2669)
X-Originating-Ip: [41.203.69.1]
X-Senderbase: -3.9
X-Virus-Scanned: amavisd-new at mail.educacion.gob.ec



IP:41.203.69.1
Decimal:701187329
Hostname:41.203.69.1
ISP:Globacom Ltd
Organization:Globacom Ltd
Services:Network sharing device or proxy server
Recently reported forum spam source. (1)
Type:
Assignment:Static IP
Blacklist:

Geolocation Information

Country:Nigeria ng flag