Category Archives: Admin

Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name:
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://

MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp:// It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://
2. hxxp://
3. hxxp://
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at Webinjects were downloaded from The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:


Help Us Help You

We started this blog as a public service. We wanted to provide Internet users with actionable information on prevalent spam and malware distribution campaigns. We hope that to date we have provided useful information and enabled users to protect themselves from various threats.

We dont have access to any spam traps. Weve patiently hunted down every spam sample analyzed on this blog. Hunting spam samples takes time and energy … Time and energy that we would rather invest in analysis.

You, our readers, can help us out by sending your spam to We’ll do our best to provide timely analysis of samples sent our way.