Fwd: Scan from a Hewlett-Packard ScanJet #468974

We analyzed following malicious URLs which are used in HP Scan spams:


This malicious page contained 3 javascripts as shown below


Eventually these malicious JS redirects victim to a Blackhole Exploit kit at hxxp://

BlackHole kit first droppes Pony from the following location:

File: about.exe
MD5: 9b196853650fcb8ac182be05b627f07c
Size: 1,10,688 bytes

Pony downloader posts to its dropzone at It was also configured to download 4 identical Gameover Zeus payloads from following locations:

1. hxxp://power-tec.sk/D8aoPu86/XPVqAGE.exe
2. hxxp://synergieassurance.com/AnJVfWxx/aFa.exe
3. hxxp://20272.w72.wedos.net/w7y74z3H/Hzt.exe
4. hxxp://electrosa.com/8zvW2XE.exe

Gameover was installed in %APPDATA%\Ociw\ilji.exe

MD5: 80bd579d484ac4742b75952fb1a2d694
Size: 2,74,016 bytes
Timestamp: 2010:11:03 04:51:09+01:00
Signature: This file is digitally signed by ‘tNzquyHloA4n3FFctsvudWw7x’
Certificate Validity: 04/24/2012 to 01/01/2040

This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “MF222a24″ and cid of “3005″.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: