Category Archives: Admin

Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_02-13-2013-245.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://www.adobe.com/

File: Scan_02-13-2013_245.zip
MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://www.inaji.jp/5Ncs.exe
2. hxxp://w6050v1kc.homepage.t-online.de/KYrngX.exe
3. hxxp://socialighter.co.za/3N0k.exe
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 66.229.110.89:28898. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

1.186.47.244:16276
72.227.149.1:19320
108.211.64.46:23323
71.43.217.3:11403
94.67.187.38:12457
66.229.110.89:28898
190.203.42.42:12579
74.235.184.84:27524
94.65.14.73:22510
194.94.127.98:25549
223.204.193.72:22233
120.61.188.154:29013
91.99.200.6:29806
64.219.121.189:13503
174.110.150.207:16149
95.57.163.144:12290
71.86.150.224:20781
213.189.69.49:13564

Help Us Help You

We started this blog as a public service. We wanted to provide Internet users with actionable information on prevalent spam and malware distribution campaigns. We hope that to date we have provided useful information and enabled users to protect themselves from various threats.

We dont have access to any spam traps. Weve patiently hunted down every spam sample analyzed on this blog. Hunting spam samples takes time and energy … Time and energy that we would rather invest in analysis.

You, our readers, can help us out by sending your spam to spamalysis@gmail.com. We’ll do our best to provide timely analysis of samples sent our way.