Thursday, August 27, 2015

Indebtedness for driving on toll road #000948265 (Virus)

Notice to Appear,

You have not paid for driving on a toll road.
You are kindly asked to pay your debt as soon as possible.

The copy of the invoice is attached to this email.

Sincerely,
Thomas Gorman,
E-ZPass Agent.

E-ZPass_Invoice_000948265.zip

File analysis :

OPEN FILE : E-ZPass_Invoice_000948265.zip
RESULT : FILE IS A VIRUS

Virus analysis :

SHA256 : 5ec5b13bbf1d2a2179168acfaec53da59afa6b8ca480930e1b56d996b51dd140
ALYac : JS:Trojan.JS.Downloader.AN
AVG : JS/Downloader.Agent
AVware : Malware.JS.Generic (JS)
Ad-Aware : JS:Trojan.JS.Downloader.AN
Arcabit : JS:Trojan.JS.Downloader.AN
Avast : JS:Agent-DOB [Trj]
BitDefender : JS:Trojan.JS.Downloader.AN
CAT-QuickHeal : JS.Downloader.Z
Comodo : Heur.Dual.Extensions
DrWeb : SCRIPT.Virus
ESET-NOD32 : JS/TrojanDownloader.Nemucod.AS
Emsisoft : JS:Trojan.JS.Downloader.AN (B)
F-Secure : JS:Trojan.JS.Downloader.AN
Fortinet : JS/Agent.CPL!tr
GData : JS:Trojan.JS.Downloader.AN
Kaspersky : Trojan.JS.Agent.cpl
McAfee : JS/Nemucod.c
McAfee-GW-Edition : JS/Nemucod.c
MicroWorld-eScan : JS:Trojan.JS.Downloader.AN
Microsoft : TrojanDownloader:JS/Nemucod.P
NANO-Antivirus : Trojan.Script.Agent.dtchtk
Rising : NORMAL:Trojan.DL.Script.JS.Nemucod.b!1616509[F1]
Sophos : JS/DwnLdr-MON
VIPRE : Malware.JS.Generic (JS)
nProtect : JS:Trojan.JS.Downloader.AN

Email analysis :

NOTE : thomas.gorman@jerusalem.hostyou.com.br
NOTE : client-ip=104.238.195.142;
NOTE : Sender Address Domain - jerusalem.hostyou.com.br
NOTE : X-Source-Args : /usr/bin/php /home/centova/public_html/coisaseria.com.br/post.php
NOTE : < centova@jerusalem.hostyou.com.br >
NOTE : Mime-Version : 1.0
NOTE : X-Source-Dir : centova.com:/public_html/coisaseria.com.br
NOTE : X-Priority : 3
NOTE : X-Get-Message-Sender-Via : jerusalem.hostyou.com.br:
NOTE : authenticated_id: centova/primary_hostname/system user
NOTE : X-Source : /usr/bin/php
NOTE : Received : by 10.202.17.82 with SMTP
NOTE : Received : from centova by jerusalem.hostyou.com.br
NOTE : Indebtedness for driving on toll road #000948265

Hi Comrade!

Hi Comrade!

Good tidings to you, With urgent need for assistance, I have summoned up courage to contact you. I have no intention of contacting you at this moment rather an emergency prompted me to seek for urgent gateway and i will be glad if you can be of assistance in understanding my personal experience and work with you presently with my on-going military mission here in Afghanistan which is going to be fruitful and profitable to both of us financially. I am Capt.Elizabeth an officer in the US Army and the International security Assistance Force Officer (ISAF) with the Forward Operating Base Shank, Kandahar city of Afghanistan, for Peace keeping force. I am presently in Service now and i really need your help in assisting me with the safe keeping of two truks. I hope you can be trusted? I will explain further when i get a response from you.

This are the information s I need from you to keep the trust.

Your full name
Home and office address
Sex/age/occupation
Telephone
Your scanned I.D Card for identification Purpose only.

Once I receive this information I shall enclose to you on how to get the package asap.

May God be with you.

Capt.Elizabeth.

Email analysis :

NOTE : capt.elizabetmcnamara@usa.net
NOTE : capt.elizabetmcnamara@mail.tj
NOTE : Received : from User (unknown [95.170.141.11])


NOTE : by mail1.strb.ru (Postfix) with ESMTP
NOTE : Tomsk is far from Kandahar...

Pls provide the following details

Dear Sir / Madam,

I am interested in purchasing your products , which sample image is attached to below Login link. Please follow the link below Login link to view the sample image I am interested to order from your company, and we sincerely hope to establish a long-term business relation with your esteemed company. Click Here to login: http://www.ptss.edu.my/v6/administrator/templates/system/documents.html If so kindly, provide the following details, send me your latest catalog. Also, inform me about the Minimum Order Quantity, Delivery time or FOB, and payment terms warranty:

I await your advise.
Best Wishes,
Mrs. Linda Yong

Analysis :

CLICK : LINK
VALIDATE : FORM
RESULT :


Email analysis :

NOTE : bencook551127@yahoo.co.id
NOTE : Return-Path : spam@practicenet.co.uk
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : HybridOnPrem
NOTE : X-Msmail-Priority : Normal
NOTE : Pls provide the following details

Urgent Inquiry Arrival From Alibaba . (Alibaba Phishing)

logo The following message was generated before 18 Aug 2015 09:32(PST) This message was sent to you only Registered Location and Message Origin: UAE Message IP: 180.2685.4093.*

Ahmad Yacoob has sent you a new message.

Ahmad Yacoob

General inquiry about your product for sale.

18 Aug 2015 09:32

Congratulations! You have received a new inquiry From Ahmad Yacoob .To see the content and reply to this inquiry, please click on the Check Inquiry button below. Regards. Reply Now Reject Inquiry Report Spam If you don't want to reply to this inquiry, you can Reject Inquiry and let the buyer know. Learn more

Alibaba.com shall not be liable for any lost profits or incidental, consequential or other damages arising out of or in connection with this message, our web site content, our services or the activities of any of the users of our web site. Thank you for your understanding and cooperation.

Phishing analysis :

CLICK : Reply Now
OPEN : http://ledkuutio.fi/alib/index.html
RESULT : Phishing was removed...

Email analysis :

NOTE : md15m@my.fsu.edu
NOTE : X-Ms-Exchange-Crosstenant-Fromentityheader : Hosted
NOTE : Return-Path : md15m@my.fsu.edu
NOTE : X-Originating-Ip : [74.208.68.233]


NOTE : Mime-Version : 1.0
NOTE : domain of md15m@my.fsu.edu designates 157.56.111.246 as permitted sender
NOTE : smtp.mailfrom=md15m@my.fsu.edu
NOTE : X-Originatororg : my.fsu.edu
NOTE : Received-Spf : client-ip=157.56.111.246;
NOTE : Received : from u18097758.onlinehome-server.com (74.208.68.233)


NOTE : Urgent Inquiry Arrival From Alibaba .

Security Notice Updates (LinkedIn Phishing)

LinkedIn

Security Notice Updates

On the 23rd of August 2015, An Attempt into your account has been detected from an unknown location, For your security, access to your LinkedIn Account has been temporarily suspended. To regain access,you must complete REGISTRATION BY DOWNLOAD & FILL ATTACHED FORM PLEASE NOTE: This is a compulsory measure. Failure to update your information will lead to service termination Linkedin security team.

VIEW ATTACHED TO UPDATE

You received an invitation to connect. LinkedIn will use your email address to make suggestions to our members in features like People You May Know. Unsubscribe
Learn why we included this. If you need assistance or have questions, please contact LinkedIn Customer Service.

© 2015, LinkedIn Corporation. 2029 Stierlin Ct. Mountain View, CA 94043, USA

Phishing analysis :

OPEN : LinkedIn Verification.html
EXTRACT FORM : action="http://test88212.test-account.com/BEXXXXLINK.php"

Whois test-account.com :

Domain Name: test-account.com
Registry Domain ID: 86840496_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrygate.com
Registrar URL: www.registrygate.com
Updated Date: 2014-12-29T01:33:34Z
Creation Date: 2002-05-22T01:33:22Z
Registrar Registration Expiration Date: 2016-05-22T20:04:29Z
Registrar: RegistryGate GmbH
Registrar IANA ID: 1328
Registrar Abuse Contact Email: abuse@registrygate.com
Registrar Abuse Contact Phone: +49.89.55061272
Domain Status: ok

Registrant Name: Werner Kaltofen
Registrant Organization: Neue Medien Muennich GmbH
Registrant Street: Hauptstr. 68
Registrant City: Friedersdorf
Registrant State/Province:
Registrant Postal Code: 02742
Registrant Country: DE
Registrant Phone: +49.3587235310
Registrant Fax: +49.3587235330
Registrant Email: hostmaster@all-inkl.com

Admin Name: Werner Kaltofen
Admin Organization: Neue Medien Muennich GmbH
Admin Street: Hauptstr. 68
Admin City: Friedersdorf
Admin State/Province:
Admin Postal Code: 02742
Admin Country: DE
Admin Phone: +49.3587235310
Admin Fax: +49.3587235330
Admin Email: hostmaster@all-inkl.com

Tech Name: Werner Kaltofen
Tech Organization: Neue Medien Muennich GmbH
Tech Street: Hauptstr. 68
Tech City: Friedersdorf
Tech State/Province:
Tech Postal Code: 02742
Tech Country: DE
Tech Phone: +49.3587235310
Tech Fax: +49.3587235330
Tech Email: hostmaster@all-inkl.com
Name Server: ns5.kasserver.com
Name Server: ns6.kasserver.com
DNSSEC: unsigned

Registry Billing ID:
Billing Name: Werner Kaltofen
Billing Organization: Neue Medien Muennich GmbH
Billing Street: Hauptstr. 68
Billing City: Friedersdorf
Billing State/Province:
Billing Postal Code: 02742
Billing Country: DE
Billing Phone: +49.3587235310
Billing Fax: +49.3587235330
Billing Email: hostmaster@all-inkl.com

Email analysis :

NOTE : Return-Path : < werner.laube@t-online.de >
NOTE : X-Remote : 194.25.134.17 (mailout02.t-online.de)
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="===============1507808188=="
NOTE : Received : from mailout02.t-online.de (194.25.134.17)
NOTE : Received : from fwd40.aul.t-online.de (fwd40.aul.t-online.de [172.20.26.139])
NOTE : by mailout02.t-online.de
NOTE : Received : from h2358992.stratoserver.net (@[85.214.197.244])
NOTE : by fwd40.t-online.de with (TLSv1:DHE-RSA-AES256-SHA encrypted)
NOTE : Security Notice Updates

I seek your permission.

My Dear Friend,

Greetings to you. I got your email address from a mail Directory and decided to mail you for a permission to go ahead. I am Mrs.Joan Gates United Kingdom, married to Dr. James R. Gates who worked with Texaco Oil Company in Thailand before he died in a ghastly motor accident on his way to a Board meeting. My Husband and me were married but without any children. Since his death I decided not to re-marry and presently I am 69 Years old. When my late husband was Alive he deposited the sum of $16.5M. (Sixteen Million Five Hundred Thousand U.S. Dollars) with a Bank.

Presently this money is still with the Bank and the management just Wrote me as the beneficiary to come forward to receive the money or rather Issue a letter of authority to somebody to receive it on my behalf. I am presently in a hospital where I have been undergoing treatment Cancer of the lungs. I have since lost my ability to talk and my doctors have told me that I have only a few months to live so I think the best thing to do is to use the money for charity purposes. I want a person who is trustworthy that I will make the beneficiary of my late Husband's Fund deposited with the bank so that the person can get the money and utilize 70% of this money to fund churches, orphanages and widows around the world.

At the moment I cannot take any telephone calls right now due to the fact that my relatives (They had squandered the funds I gave them for this purpose before are around me I have been helping orphans orphanage/motherless homes. I have also donated some money for humanitarian needs in Sudan , South Africa , Brazil , Spain , Austria, Germany and some Asian countries.

I have been touched to the good work of humanity through you, rather than allow my relatives to use my husband's hard earned funds inappropriately. I know i have never met you but my mind tells me to do this, and I hope you act sincerely.

As soon as I receive your reply I shall give you the contact details of the Bank. I will also issue you a letter of authority that will prove you as the new beneficiary of this fund.Please assure me that you will act accordingly as I stated here in and Keep this contact confidential till such a time this funds get to your Custody. This is to ensure that nothing jeopardizes my last wish on Earth.

May the good lord bless you -Amen,I await your urgent reply.

Regards,
Mrs.Joan Gates.

Email analysis :

NOTE : joangates.mrs28@yahoo.de
NOTE : X-Msmail-Priority : Normal
NOTE : Return-Path : < beautifulseptember2014@gmail.com >
NOTE : Content-Transfer-Encoding : 7bit
NOTE : X-Mailer : Microsoft Outlook Express 6.00.2600.0000
NOTE : Received : from 2014la.org (HELO mail.2014la.org) (213.5.120.35)


NOTE : Received : from User (unknown [41.138.175.57]) by mail.2014la.org (Postfix)


NOTE : I seek your permission.

Facturation mensuelle inadaptée (Phishing Free)


Phishing analysis :

CLICK : Se connecter
OPEN : http://www.strifus.com/test@free.fr
OPEN : http://www.htyzuaieuy.com/test@free.fr

Domain analysis :

Domain Name: STRIFUS.COM
Registry Domain ID: 1521855746_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.liquidnetlimited.co.uk
Registrar URL: http://liquidnetlimited.co.uk
Updated Date: 2014-12-30T17:47:35Z
Creation Date: 2008-09-29T09:36:45Z
Registrar Registration Expiration Date: 2015-09-29T09:36:45Z
Registrar: LIQUIDNET Ltd.
Registrar IANA ID: 1472
Registrar Abuse Contact Email: abuse@liquidnetlimited.co.uk
Registrar Abuse Contact Phone: +44.2036951294
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Andrey Alexeenko
Registrant Street: Dzerzhinskaya st, 18-210
Registrant City: Solnechnogorsk
Registrant State/Province: Moscow region
Registrant Postal Code: 141500
Registrant Country: RU
Registrant Phone: +7.9037919106
Registrant Email: neffarian@mail.ru
Admin Name: Andrey Alexeenko
Admin Street: Dzerzhinskaya st, 18-210
Admin City: Solnechnogorsk
Admin State/Province: Moscow region
Admin Postal Code: 141500
Admin Country: RU
Admin Phone: +7.9037919106
Admin Email: neffarian@mail.ru
Tech Name: Andrey Alexeenko
Tech Street: Dzerzhinskaya st, 18-210
Tech City: Solnechnogorsk
Tech State/Province: Moscow region
Tech Postal Code: 141500
Tech Country: RU
Tech Phone: +7.9037919106
Tech Email: neffarian@mail.ru
Name Server: ns1.exclusivehosting.net
Name Server: ns2.exclusivehosting.net
Name Server: ns3.exclusivehosting.net
Name Server: ns4.exclusivehosting.net
DNSSEC: not signed

Domain Name: htyzuaieuy.com
Registry Domain ID: 1951135600_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: http://www.register.com
Updated Date: 2015-08-04T21:37:14Z
Creation Date: 2015-08-04T21:37:14Z
Registrar Registration Expiration Date: 2016-08-04T21:37:14Z
Registrar: Register.com, Inc.
Registrar IANA ID: 9
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8773812449
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registrant Name: PERFECT PRIVACY, LLC
Registrant Street: 12808 Gran Bay Pkwy West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.9027492701
Registrant Email: 6865a66d0a28fd0a4fc61255b706a5ea@domaindiscreet.com

Email analysis :

NOTE : oak@huffpostmaghreb.com
NOTE : alf@huffpostmaghreb.com
NOTE : Content-Type : text/html; charset=UTF-8
NOTE : X-Priority : 2
NOTE : Return-Path :
NOTE : Content-Transfer-Encoding : 8bit
NOTE : Received : from huffpostmaghreb.com ([149.202.162.145])
NOTE : Received : by huffpostmaghreb.com (Postfix, from userid 33)
NOTE : Facturation mensuelle inadaptée