Thursday, April 16, 2015

Scanned Image from a Xerox WorkCentre (Virus)

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: ***
Number of Images: 4
Attachment File Type: ZIP [PDF]
File Name: Scan001_1257165_041.zip

WorkCentre Pro Location: Machine location not set
Device Name: ***.com

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Email analysis :

NOTE : teg5@qmail.org
NOTE : Xerox.437@***
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Received : from 70.43.79.186.nw.nuvox.net (70.43.79.186)


File analysis :

ALYac : Trojan.GenericKD.2294006
AVG : Crypt4.NUT
AVware : Win32.Malware!Drop
Ad-Aware : Trojan.GenericKD.2294006
Antiy-AVL : Trojan[Downloader]/Win32.Upatre
Avast : Win32:Trojan-gen
Avira : TR/Crypt.Xpack.186216
Baidu-International : Trojan.Win32.Upatre.vxw
BitDefender : Trojan.GenericKD.2294006
CAT-QuickHeal : TrojanDownloader.Upatre.r5
CMC : Packed.Win32.Obfuscated.10!O
Cyren : W32/Trojan.IYUD-8977
DrWeb : Trojan.DownLoader12.60119
ESET-NOD32 : Win32/TrojanDownloader.Waski.F
Emsisoft : Trojan.GenericKD.2294006 (B)
F-Prot : W32/Trojan3.OVQ
F-Secure : Trojan.GenericKD.2294006
Fortinet : W32/Waski.F!tr.dldr
GData : Trojan.GenericKD.2294006
Ikarus : Trojan-Downloader.Win32.Waski
K7AntiVirus : Trojan-Downloader ( 0049d22b1 )
K7GW : Trojan-Downloader ( 0049d22b1 )
Kaspersky : Trojan-Downloader.Win32.Upatre.vxw
Malwarebytes : Trojan.Upatre.Gen
McAfee : RDN/Generic.bfr!ih
McAfee-GW-Edition : RDN/Generic.bfr!ih
MicroWorld-eScan : Trojan.GenericKD.2294006
Microsoft : TrojanDownloader:Win32/Upatre.BC
NANO-Antivirus : Trojan.Win32.Upatre.dqmduh
Norman : Troj_Generic_2.A
Qihoo-360 : HEUR/QVM19.1.Malware.Gen
Sophos : Mal/Upatre-R
Symantec : Downloader.Upatre
Tencent : Win32.Trojan.Downloader-pdf.Auto
TrendMicro : TROJ_UPATRE.CUB
TrendMicro-HouseCall : Suspicious_GEN.F47V0413
VIPRE : Win32.Malware!Drop
ViRobot : Trojan.Win32.Agent.45568.JQ[h]
Zillya : Downloader.Upatre.Win32.22072
nProtect : Trojan.GenericKD.2294006

ATTENTION PLEASE!!!!! (Diplomatic Scam)

FROM :

DIPLOMATIC AGENT I am a Diplomat named Mr. James Morgan , mandated to deliver your inheritance to you in your country of residence.The funds total US$7.5 Million and you were made the beneficiary of these funds by a benefactor whose details will be revealed to you after handing over the funds to you in accordance with the Agreement I signed with the benefactor when he enlisted my assistance in delivering the funds to you. I am presently at JFK Airport in the United States of America and before I can deliver the funds to you, you have to reconfirm the following information so as to ensure that I am dealing with the right person.

1.Full Name................
2.Residential Address ...............
3.Age ................................
4.Occupation ......................
5.Direct Telephone Numbers

After verification of the information with what I have on file,I shall contact you so that we can make arrangements on the exact time I will be bringing your package to your residential address. Send the requested information so that we can proceed.

Regards

Mr James Morgan

Email analysis :

NOTE : jm_morgan11@yahoo.com
NOTE : dejanz@eltosan.rs
NOTE : Received : from unknown (HELO EXCHANGE2010.eltosan.local) (212.200.54.100)
NOTE : Received : from User (197.228.213.211) by EXCHANGE2010.eltosan.local (192.168.2.203)

RE: AN INVESTMENT OPPORTUNITY. (Investment Scam)

Dear Friend,

AN INVESTMENT OPPORTUNITY.

I hope this email finds you in good health. I m Dr. Donald Adams, originally from Fiji Islands, but I am presently in Afghanistan as an expert doctor of medicine. On the 12Th of April 2014 my wife and I were approached by a British Soldier, Warrant Officer Faulkner Spencer, who handed a box full of cash totaling TWENTY-TWO MILLION EIGHT HUNDRED THOUSAND UNITED STATES DOLLARS ONLY {$22,800,000.00} to me and my wife for safe keeping and begged us never to disclose this to anyone. Unfortunately,exactly two weeks later news reached us that he had an accident and died in an Helicopter crash in Takhta Pul District, Afghanistan.

Kindly view the link below for confirmation:

http://www.bbc.com/news/uk-10629358

My wife and I wants to use this opportunity to seek for your assistance to help us repatriate this fund to your country for investment purposes because the fund is not safe here and we can no longer hold on to this fund since Officer Faulkner is no more and we are willing to compensate you with 35% of the total sum for your help.

We will be very grateful if our proposal is considered and given the urgent attention it deserves. This is our private e-mails:

donadams223@gmail.com

Sincerely,

Dr. Donald Adams.

Email analysis :

NOTE : donadams2233@gmail.com
NOTE : no_reply@delta.net.id
NOTE : Received : from mail.shponder.co.il ([81.218.175.83]:21099 helo=User)
NOTE : by webhosting.delta.net.id with esmtpa (Exim 4.85)
NOTE : (envelope-from < no_reply@delta.net.id >)
NOTE : X-Get-Message-Sender-Via : webhosting.delta.net.id:
NOTE : authenticated_id: dedy/only user confirmed/virtual account not confirmed

VIEW THE ATTACHED FILE YOUR DRAFT SCAN COPY. (JP Morgan Chase Bank Scam)

DEAR BENEFICIARY,

I AM REV,DR.JOHN H.WILLIAMS,THE AUDITOR GENERAL OF THE FEDERAL REPUBLIC OF NIGERIA AND I WISH TO KNOW IF YOU HAVE RECEIVED THE SCAN COPY OF YOUR CERTIFIED BANK DRAFT IN THE AMOUNT OF $10,5MUSD WHICH I SENT TO YOUR EMAIL ADDRESS YESTERDAY AND THIS APPROVED DRAFT INCLUDES YOUR FUND INTEREST AMOUNT FOR THIS YEARS AWAITING,SO CALL ME NOW TO CONFIRM IT OKAY:-+234-818-696-1788.

NOTE THAT WE ARE PAYING YOU THROUGH OUR OIL RESERVE BANK ACCOUNT WITH THE JP MORGAN CHASE BANK NEW YORK,USA AND THEY WILL CREDIT YOUR FUND ONCE YOU HAVE THE ORIGINAL CERTIFIED BANK DRAFT HARD COPY AND DEPOSIT IT TO ANY BANK OF YOUR CHOICE IN THE WORLD.

YOU ARE HEREBY ADVICE TO TAKE THE SCAN COPY OF YOUR CERTIFIED BANK DRAFT TO YOUR LOCAL BANK AND CONFIRM IT BEFORE WE CAN SEND YOU THE ORIGINAL HARD COPY OR YOU CAN COME DOWN FOR THE COLLECTION HERE OKAY.

I AWAIT TO HEAR FROM YOU SOONEST.

YOURS,

REV,DR.JOHN H.WILLIAMS.

Email analysis :

NOTE : revdrjohnwilliams@yahoo.com.tw
NOTE : X-Get-Message-Sender-Via : vps.khawndi.com: authenticated_id: sales@quatro-co.com
NOTE : admin@ovh.net
NOTE : Received : from [37.1.31.60] (port=33596 helo=User) by vps.khawndi.com