[AusNOG] Greeting Card spam run potentially targeting Germany, Australia and England

matthew at auscert.org.au matthew at auscert.org.au
Fri Aug 11 16:45:06 EST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings all,

Apologies if you have already heard of or seen this before but we have
seen a few spam runs targeting not only, it seems, Australia but Germany
(de) and England (en):

Wed 09 2006 AUSCERT#2006687ae greeting-e-cards. net/de/

    * http://greeting-e-cards. net/de/ecard_recipient.html
    * and also exists but not seen spammed: /au/ and /en/

Thu 10 2006 AUSCERT#2006fc212 greeting-ecards. net/au/

    * http://greeting-ecards. net/au/ecard_recipient.html
    * and also exists but not seen spammed: /de/ and /en/
    * This seemed to be a fairly large run here in Australia

Fri 11 2006 AUSCERT#2006c34ee greeting-ecards. org/en/

    * http://greeting-ecards. org/en/ecard_recipient.html
    * and also exists but not seen spammed: /de/ and /au/

For all sites:

    * /en/ecard_recipient.html
          o /en/ecard_recipient_err.htm
          o <iframe width=0 height=0 src="flashplayer/install_flash_player.exe"></iframe>
          o /en/flashplayer/install_flash_player.exe
          o MD5 77ff2b14c40d4b230f57e8d905ff487e
    * /au/ecard_recipient.html
          o /au/ecard_recipient_err.htm
          o <iframe width=0 height=0 src="flashplayer/install_flash_player.exe"></iframe>
          o /au/flashplayer/install_flash_player.exe
          o MD5 1e2eef9a4925f735d72840b06dd9ce99
    * /de/ecard_recipient.html
          o /de/ecard_recipient_err.htm
          o <iframe width=0 height=0 src="flashplayer/install_flash_player.exe"></iframe>
          o /de/flashplayer/install_flash_player.exe
          o MD5 4f92076f18afe7f2c793bd6a3883e2ea

Passive dns:

Query: ns1.rimdns. net

greeting-ecards. org     NS    ns1.rimdns. net
greeting-e-cards. net    NS    ns1.rimdns. net
greeting-ecards. net     NS    ns1.rimdns. net
rimdns. net              NS    ns1.rimdns. net
ns1.rimdns. net          A     218.23.229.237
ns1.rimdns. net          A     218.94.136.28
ns1.rimdns. net          A     58.102.73.2

Query: 58.102.73.2

nsd9.serverbackup64. com A    58.102.73.2 
nsd8.sunnuporno. com     A    58.102.73.2
nsd7.paypal-1st. com     A    58.102.73.2
ns1.kesadug. in          A    58.102.73.2
ns1.demon7. info         A    58.102.73.2
ns1.lasord. info         A    58.102.73.2
ns1.utrizen. info   	A    58.102.73.2
nsw1.duoxao. info   	A    58.102.73.2
ns1.irgozy. info         A    58.102.73.2
ns1.rafidns2k. net   	A    58.102.73.2
ns3.rafidns2k. net   	A    58.102.73.2
nsw1.barahlo. net   	A    58.102.73.2
ns1.nakias. net          A    58.102.73.2
ns1.rimdns. net          A    58.102.73.2
ns1.osorgu. biz          A    58.102.73.2

Looks like the rock gang perhaps?

- --SAMPLE EMAILS--
AUSCERT#2006687ae greeting-e-cards.net

Subject: Sie haben eine Grusskarte bekommen.
From: "Info" <no_replyKirchner at greeting-cards.com>
Date: Mon, 07 Aug 2006 22:11:42 +0900
To: auscert at auscert.org.au

Hallo,

Sie haben eine Grusskarte bekommen,klicken Sie auf dem unten stehenenden Link, 
um Ihre Karte abzuholen.  Drucken Sie hier venerable Shintoize Procyon nanostores 
receiver

Note: 
Do not reply to this e-mail, it will be sent to "greeting cards". 

AUSCERT#2006fc212 greeting-ecards.net

Subject: You've got an "e-card" at 'greeting-cards'
From: "Judgment C. Lithographer" <michelle_no_replay at greeting-cards.com>
Date: Wed, 09 Aug 2006 22:36:41 -0700 (Thu 15:36 EST)
To: Auscert <auscert at auscert.org.au>

Dear recipient.
Sender at Michelle sent you an "e-card"
"Here's the Rub" from 'greeting-cards'.
To see your card, click here

This "ecard" will be stored for one week, so
print or save the card as soon as possible.
Hope you enjoy our "e-cards". Spread the love and send one of our "e-cards".

Brought to you by 'greeting cards' - a better way to greet.  

AUSCERT#2006c34ee greeting-ecards.org

Subject: You've got an e-card at "greeting-cards"
From: "Toolkit Q. Effulgent" <no_reply at greeting-cards.com>
Date: Fri, 11 Aug 2006 19:15:56 -0700 (Sat 12:15 EST)
To: Auscert <auscert at auscert.org>

Dear recipient !
Sender at 'Nikol' sent you an "e-card"
"Here's the Rub" from 'greeting-cards'.
Click_here_to_view_the_"e-card".
This "ecard" will be stored for one week, so
print or save the card as soon as possible.
Hope you enjoy our "e-cards"! Spread the love and send one of our "e-cards"!
Brought to you by 'greeting cards' - a better way to greet!
- --SAMPLE EMAILS--

Detects variously as Hanlo or Haxdoor.  Hope this is of some use.  Any
feedback appreciated.

Best regards,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRNwncSh9+71yA2DNAQIovwP/Z2kMI4x1UKeFGGS8eR54GO1QscJ7dJxJ
HMR3vpcqiJ2gRgQWJ4uCzK7GXZRWH0bqHRifvMkn5vfK8zWFafW9CKkJMxJ09sSy
VPsUZouAKIbrXvAUa11mYta8op+tK3yiinSopdBVW/LDA+9eUFcjmlrsHicVYINK
vPdlEC4mnPA=
=No2q
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list