This is an automated email, please don't reply.
Voice Message Notification
You received a new message from Skype voicemail service.
Message Details:
Time of Call: 17 Dec 2013 10:20:24 -0400
Length of Call: 38sec
Listen to the message (im Original verlinkt)
2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg. Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited.
Subject: You received a new message from Skype voicemail service
This is an automated email, please don't reply. Voice Message Notification You received a new message from Skype voicemail service. Message Details: Time of Call: 17 Dec 2013 10:20:24 -0400 Length of Call: 38sec Listen to the message in the attached file. S 2003-2013 Skype and/or Microsoft. The Skype name, associated trademarks and logos and the “S” logo are trademarks of Skype or related entities. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg. 2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg. Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited. MSG-88494HA29.zip (67)
Malware Link Version:
Subject: You received a new message from Skype voicemail service
This is an automated email, please don't reply. Voice Message Notification You received a new message from Skype voicemail service. Message Details: Time of Call: 17 Dec 2013 10:20:24 -0400 Length of Call: 38sec Listen to the message 2003-2011 Skype Limited. Skype Communications S.a.r.l. 23-29 Rives de Clausen, L-2165 Luxembourg. Skype, associated trademarks and logos and the "S" symbol are trademarks of Skype Limited.
Header Examples:
Spoofs gmail and yahoo email addresses.Received: from gateway.flycommunications.net [92.63.232.1] X-Envelope-From: reconfiguredf51 @gmail.com From: "Skype Communications" <reconfiguredf51 @gmail.com> Subject: You received a new message from Skype voicemail service Received: from bzq-79-176-166-233.red.bezeqint.net [79.176.166.233] X-Envelope-From: nayspiv26 @yahoo.com Subject: You received a new message from Skype voicemail service From: "Skype Communications" <nayspiv26 @yahoo.com> Received: from 50-201-219-238-static.hfc.comcastbusiness.net [50.201.219.238] X-Envelope-From: test @yahoo.com From: "Skype Communications" <test @yahoo.com> Subject: You received a new message from Skype voicemail service Received: from static.kpn.net [92.71.231.114] X-Envelope-From: penancinghm51 @yahoo.com From: "Skype Communications" <penancinghm51 @yahoo.com> Subject: You received a new message from Skype voicemail service Received: from rrcs-24-123-68-90.central.biz.rr.com [24.123.68.90] X-Envelope-From: commiseratess18 @yahoo.com From: "Skype Communications" <commiseratess18 @yahoo.com> Subject: You received a new message from Skype voicemail service
Attachment / Link Samples:
18 December 2013 (Attachment type)
MSG-88494HA29.zip containing MSG-88494HA29.exeVirusTotal report
Avast Win32:Dropper-gen [Drp] ESET-NOD32 Win32/TrojanDownloader.Wauchos.X F-Prot W32/Trojan3.GVE Commtouch W32/Trojan.EQAE-3652 TrendMicro TSPY_ZBOT.OBY DrWeb Trojan.Inject2.23 Sophos Troj/Agent-AFDT Kaspersky Backdoor.Win32.Androm.bjpn Symantec Backdoor.TrojanMalwr.com report
Installs itself for autorun at Windows startupFile-Analyzer.net report
Networking Contains functionality to download additional files from the internet Urls found in memory or binary data Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Posts data to webserver finley.su /new2 /gate.php <-- is this a zues pony variant berges-saint-germain.com /UPC.exe finley.su /s1.mod 81.177.170.217 /rk.mod Boot Survival Stealing of Sensitive Information Data Obfuscation HIPS / PFW / Operating System Protection Evasion Anti Debugging Virtual Machine Detection AV process strings found avp.exe domains: massfloor.ru 5.79.83.20 finley.su 178.160.144.227 berges-saint-germain.com 213.186.33.40 ips: 213.186.33.40 France 195.186.1.121 Switzerland 5.79.83.20 Netherlands 157.56.77.158 United States 195.186.4.121 Switzerland 81.177.170.217 Russian Federation 178.160.144.227 Armenia
19 February 2014 (Link type)
Emails come with a series of links like:frms.myzen.co.uk /1.html hargreavesfurniture.co.uk /1.html troytempest.com /1.html myjanespa.com /1.html honeybass.com /1.html thehomelanddevelopers.com /1.html gotohongkongspa.com /1.html glashow-md.com /1.html armormetalroofing.com /1.html www.accentjamie.com /1.html aquahousehibachi.com /1.html tinysgardenspa.com /1.html koolitz.com /1.html pcdresale.com /1.html theviewoman.com /1.html walkerstribeca.com /1.html mojosdeli.com /1.html hillsideglass.co.za /1.html ns228746.ovh.net /~laboitea /1.html suntannailnyc.com /1.html footfunflushing.com /1.html sumofl.com /1.html kosheryamasushi.us /1.html christmas-goose.co.uk /1.html aipn.it /1.html munnarblooms.com /1.html penplacer.com /1.html goldroyalties.ca /1.html www.minka.co.uk /~mnk-ftp /1.html chinafun88.com /1.html afflatusgravure.com /1.html teakoprime.com /1.html varadacreation.com /1.html www.seoservicesindia.co /1.html misaghbikes.ir /1.html nuknfuts.aisites.com /1.html mocha7003.mochahost.com /~msimecek /1.html thericerestaurant.com /1.html saladshackny.com /1.html globalstudieschina.com /1.html nyuslawyers.com /1.html napolisfrisco.com /1.html mocha7003.mochahost.com /~hypno /1.html neseastudentdesigncompetition.org /1.html cartes-d-affaire.com /1.html allanteske.com /1.html partyplancatering.com /1.html masande.ie /1.html www.svnhatta.com /1.html vweb6.manufacture.com.tw /~chanlong /1.html cmfoodny.com /1.html malarstwodmw.artist.pl /1.html go3gift.com /1.html airportchapel.co.za /1.html vssportsnetwork.com /1.html ixora.mschosting.com /~stableco /1.html kathsimages.co.za /1.html ajrelax.com /1.html mocha7003.mochahost.com /~hypnothe /1.html kaszubyranczo.w.interia.pl /1.html fashionmassagenorcross.com /1.html pinpointmedia.tv /1.html industrial-in.com /1.html peculiarpresents.co.uk /1.html newworldinvestor.com /1.html www.counteract.talktalk.net /1.html froyocafegardner.com /1.html hhs1973.com /1.html theaxiomproject.com /1.htmlEach landing pages tries to load two or so javascript files (with .txt file extensions) like...
merdekapalace.com /1.txt www.shivammehta.com /1.txtWhich will try to redirect to some malware site like ...
p22473.typo3server.info /9 /jsanalyzer.aspx nedapardaz.com /theme /it /browser /_lzf_.php merkabahcentro.com /xmlbrowser.aspx
You received a new message from Skype voicemail service - Virus
