Malware Kuluoz / Asprox botnet - Walmart "Delivery Canceling / "Standard Delivery Failure"

 
The links lead to compromised websites hosting malware - Kuluoz/Asprox downloader
 
 
 
 Microsoft     TrojanDownloader:Win32/Kuluoz.D     20131227
AhnLab-V3     Trojan/Win32.Asprox     20131227
Ikarus     Trojan.Win32.Meredrop     20131227
TheHacker     Posible_Worm32     20131227
Rising     PE:Malware.FakeDOC@CV!1.9C3C     20131227
TrendMicro-HouseCall     PAK_Generic.001     20131227
TrendMicro     PAK_Generic.001     20131227
Sophos     Mal/Weelsof-E     20131227
McAfee     Artemis!465795B5F874     20131227
McAfee-GW-Edition     Artemis!465795B5F874     20131227
 
 
========
From: Walmart <stephanie@carlsbadortho.com>
To: 
Cc:
Date: Fri, 27 Dec 2013 11:24:34 +0700
Subject: Delivery Canceling
Wallmart
 Walmart

     Save money. Live better.
   
Sir/Madam, 

Your order WM-003531744 <http://pryozerne.com/media/06AHX70Cx26BZmm5M/wzYMJYEGMRFi8UpYv05R2aBMo=/WalmartForm>  delivery has failed because the address was not specified correctly. You are advised to fill this form <http://pryozerne.com/media/06AHX70Cx26BZmm5M/wzYMJYEGMRFi8UpYv05R2aBMo=/WalmartForm>  and send it back to us. 


If your reply is not received within one week, you will be paid your money back but 17% will be deducted since you order was booked for Christmas holidays.


2013 Wal-Mart Stores, Inc.

 

Date: Thu, 26 Dec 2013 02:04:18 +0100
From: Walmart <vivian_zb@formosa.sina.net>
To: 
Subject: Standard Delivery Failure
 Walmart
     Save money. Live better.
   
Sir/Madam,

Your order WM-001227458 <http://ag376.us/media/YzzCyDSGYnaWb1/7UQREFk8d7z2iKr7+OC+K8q14uxY=/WalmartForm>
delivery has failed because the address was not specified correctly. You are advised to fill this form and send it back to us.


If your reply is not received within one week, you will be paid your money back but 17% will be deducted since you order was booked for Christmas holidays.
 
 
 
 Envelope From: stephanie@carlsbadortho.com
Envelope To:
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative; boundary="b1_b18cd0f1f5d23290598dd89434faec65"
Date: Fri, 27 Dec 2013 11:24:34 +0700
From: Walmart <stephanie@carlsbadortho.com>
MIME-Version: 1.0
Message-ID: <b18cd0f1f5d23290598dd89434faec65@com>
..
Received: from kitt.3treepoint.com ([216.162.203.106]) by iron3-mx.tops.gwu.edu with ESMTP; 26 Dec 2013 23:24:58 -0500
Received: from sibotakusaiten.ru (62-68-140-214.tomtelnet.ru [62.68.140.214]) by kitt.3treepoint.com with SMTP; Thu, 26 Dec 2013 20:24:39 -0800
x-sender="stephanie@carlsbadortho.com"; x-conformance=spf_only; x-record-type="v=spf1"
..
Reply-To: Walmart <stephanie@carlsbadortho.com>
Return-Path: <stephanie@carlsbadortho.com>

Nigerian scam - ADOPTION

Free babies



From: Mrs. Yuby Dada [mailto:xtrueforever21x@aol.com] 
Sent: Friday, December 20, 2013 2:58 AM
To: 
Subject: ADOPTION.

Hello,
Am Mrs Yuby Dada from Nigeria, I gave birth to triplets 3 babies at a time after the death my husband. I have 8 children birth of triplets in addition to the 5 already from God, I 've decided to give out the triplets for adoption but one of the babies is now adopted remaining two babies with me. If you are interested please reply with your full name, address and cellphone number so I can pass to the lawyer as adoptive parent.
Thanks
Yuby

Password theft - "IT HELP DESK INFORMATION "



From: Ben Van der Werf 
Date: Thursday, December 19, 2013
Subject: RE: IT HELP DESK INFORMATION 
To: Ben Van der Werf <[redacted]@rollins.edu>

Your account safety is our top priority.


Recently, we have detected some unusual activity on your account and as a result,

all email users are urged to update  their email account within 24 hours of receiving this e-mail, using the update link: ITS to confirm that your email account is up to date with the institution requirement. 
< http://outlookowa.twomini.com/index.php >
Do not ignore this message to avoid termination of your web mail account. 

Our apologies for any inconvenience this may have caused, but your account safety and privacy is very important to us.

Thanks for your co-operation.

Yours sincerely,



© Copyright 2013 
Webmaster Admin.
 
 

Password phishing - "Staff and Faculty Mailbox Message!"


From: Skerritt, Cindy
Sent: Tuesday, December 17, 2013 6:17 AM
To: Skerritt, Cindy
Subject: Staff and Faculty Mailbox Message!
Staff and Faculty Mailbox Message!
                           485MB
500MB
 
Staff and Faculty Members mailbox quota size increase.
Automatically increase Quota size by clicking on  Staff and Faculty Member Access-Page 
Fill-out the necessary requirements to automatically increase your mailbox quota size.
 
Additional Info Staff and Faculty Members Only.
Click on Staff and Faculty Access-Page
 
IMPORTANT NOTE: You won't be able to send and receive mail messages at 495MB . 
 
IT Help Desk
ADMIN TEAM
 
©Copyright 2013 Microsoft

Redirects to


Envelope From: CSkerritt@wolcottps.org
Content-Type: multipart/alternative; boundary="_000_eb4e7a1f5623425f9afa130c73759c20MAILwolcottpsorg_"
Date: Tue, 17 Dec 2013 11:54:01 +0000
From: "Skerritt, Cindy" <CSkerritt@wolcottps.org>
In-Reply-To: <FA1E6CC588BBF24E9CD7E718CE2618A21D90C9CF@mail.wolcottps.org>
MIME-Version: 1.0
Message-ID: <eb4e7a1f-5623-425f-9afa-130c73759c20@MAIL.wolcottps.org>
Received: from mail.wolcottps.org ([64.251.54.70])
 envelope-from="CSkerritt@wolcottps.org"; x-sender="CSkerritt@wolcottps.org"; x-conformance=spf_only
 
x-sender="postmaster@mail.wolcottps.org"; x-conformance=spf_only
References: <FA1E6CC588BBF24E9CD7E718CE2618A21D8EEA84@mail.wolcottps.org>,<FA1E6CC588BBF24E9CD7E718CE2618A21D90C9CF@mail.wolcottps.org>
Thread-Index: Ac74BeGSf4dkDzDYQ/m0gx8UZ6LdIwDExM4FAAFlXKE=
Thread-Topic: Staff and Faculty Mailbox Message!
To: "Skerritt, Cindy" <CSkerritt@wolcottps.org>
X-Ipas-Result: AqXWAOM5sFJA+zZGdGdsb2JhbABZgXEGTyNZSQEBCqYfiXKBE4dEgR8WDgEMFQg8gS8BAVkBARkBAQEBAweBAgIBCBEEAQEvMh0IAQEEiBcBQbA3AZgKjj8CAQECEEQGgSEBAloDJyWBYwSJC48LgTCUDoFoAQQCAgsBAQEIASI
X-Ironport-Anti-Spam-Filtered: true
X-Ironport-Anti-Spam-Result: AqXWAOM5sFJA+zZGdGdsb2JhbABZgXEGTyNZSQEBCqYfiXKBE4dEgR8WDgEMFQg8gS8BAVkBARkBAQEBAweBAgIBCBEEAQEvMh0IAQEEiBcBQbA3AZgKjj8CAQECEEQGgSEBAloDJyWBYwSJC48LgTCUDoFoAQQCAgsBAQEIASI
X-Ironport-Av: E=Sophos;i="4.95,501,1384318800"; d="scan'208,217";a="341420848"
X-MS-Has-Attach:
X-MS-Tnef-Correlator:
X-Originating-Ip: [70.38.31.71]



IP:    70.38.31.71
Decimal:    1176903495
Hostname:    70.38.31.71
ISP:    IWeb Technologies
Organization:    IWeb Technologies
Services:    Network sharing device or proxy server
Recently reported forum spam source. (7)
Type:   
Assignment:    Static IP
Blacklist:   
Geolocation Information

Country:    Canada ca flag
State/Region:    Quebec

Password theft - ": AW: Warning ..! Low Storage Space'

From: Denise Gräper <d.graeper@uni-oldenburg.de>
Date: Sat, Dec 7, 2013 at 7:53 AM
Subject: AW: Warning ..! Low Storage Space
To: Denise Gräper <d.graeper@uni-oldenburg.de>


Your e-mail box has reached the maximum limit of storage and your account will be deactivated if you do not update Now. click here, http://www.rockettrailers.com/FormGenerator/use/upgrade/form1.html and follow the instructions to upgrade to more storage. Your account will remain active after you have successfully confirmed your account.

Admin Help desk.
© Copyright 2013


404 error currently on  http://www.rockettrailers.com/FormGenerator/use/upgrade/form1.html

Password phishing from Sycamore International acct - "Monthly Invoice"

 Password phishing from a compromised account at sycamoreinternational.com. The link is currently not working.
 
 =======
From: Mike [redacted] <mike[redacted]@sycamoreinternational.com>
To: undisclosed-recipients:;
Cc: 
Date: Fri, 6 Dec 2013 17:35:26 +0100
Subject: Monthly Invoice
Can you please review the following invoice for payment, follow the invoice link below it will appear the secure sign on page, Login with your email to access the secure invoice pages.
 
 Click here. 

<http://www.reiffco.com/administrator/manifests/libraries/AutoMain/> 
 
 
Thanks.

-- 
Mike
 [redacted]
Purchasing Agent, Sycamore International
Office:
 [redacted] 8434 extension 1
Mobile: 

Password Phishing - "Monthly Invoice" from a Faronics address.


Phishing from a compromised account at Faronics. The link is currently not working


From: Dennis [Redacted] <d[Redacted]@faronics.com>
To: undisclosed-recipients:;
Cc: 
Date: Fri, 6 Dec 2013 17:01:35 +0100
Subject: Monthly Invoice
Can you please review the following invoice for payment, follow the invoice link below it will appear the secure sign on page, Login with your email to access the secure invoice pages.

Dennis [Redacted]
Maintenance Renewals
Faronics

[Redacted]
Connect with me on LinkedIn

Connect with Faronics:
faronics.com/getsocial


Password phishing - Notificación

From: Speedy Equipo < >
Date: 2013/12/5
Subject: Notificación
To: 


https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQ2yQfbC9_SUc7xb2qp9WAU59i6-s2SwwXn6Zd61glALWJ-vwPOFg
 
Descubrimos la actividad parecida a un spam en su cuenta de webmail,
que está contra nuestra Política de Uso Aceptable.

Amablemente haga clic aquí para verificar que usted es el dueño de el
considere y no un spammer.
<http://uba.bravesites.com/>

Pedimos perdón por cualquier molestia este puede causarle.

Gracias,
Speedy Equipo

Password phishing - "Kindly Review Documents"

From: Amanda Northcross <amandaln@gmail.com>
Date: December 4, 2013 at 11:05:03 AM EST
To: undisclosed-recipients:;
Subject: Kindly Review Documents

Hello,
I've shared a document with you , please CLICK HERE to sign in with your email to view.
<http://lrtltrtrjytngfgn.fhero.net/googledocsssssss/doc/file.index.htm>


Best regards,
Amanda


Navy Federal bank password phishing - "IMPORTANCE SECURE MESSAGE!"

From: Navy Federal Credit Union <ibanking@noreply_ib.nfcu.com>
To: 
Cc: 
Date: Mon, 02 Dec 2013 15:52:11 +0000
Subject: IMPORTANCE SECURE MESSAGE!

https://www.navyfederal.org/images/structure/nfculogo.png?q=tbn:ANd9GcT7T6NDArZkfCuWPJ-JAT8wjRvQYR3y3idGOdidroyDITz4nopk0HYZyt20
 
 
Dear Valued Customer,

Your Navy Federal Credit Union online internet banking account has

been restricted due to unauthorized transaction.

Click here To Renew  <http://www.kitabkaurindia.org/real/index.html>

Thank you for banking with us.
Sincerely,
Navy Federal Credit Union Bank
 
 

Password phishing - "Do not ignore this message"

From: [redacted] Helpdesk <ayers006@cougars.csusm.edu>
Date: Sun, Dec 1, 2013 at 5:43 PM
Subject: Do not ignore this message
To:


Attention,

An Attempt has been made to login from a new computer. For security 
purposes, we are poised to open a query. Please click here 
to verify your login details. <http://www.muangthai.com/agoda/GroupWise/NovellGroupWise.htm>
Do not ignore this message.
ITS Helpdesk



Upon "login" the form redirects the victim to https://idefix.rz.uni-landau.de/gw/webacc, which is a legitimate webmail site for the University of Koblenz-Landau