Scanned Image

Please open the attached document.
This document was digitally sent to you using an HP Digital Sending device.

-------------------------------------------------------------------------------
This email has been scanned for viruses and spam.
-------------------------------------------------------------------------------
Image.zip

Image.zip analysis :

OPEN FILE : Image.zip
EXTRACT : Image.scr

AVware Win32.Malware!Drop
Ad-Aware Gen:Variant.Graftor.175463
AhnLab-V3 Trojan/Win32.MDA
Avast Win32:Trojan-gen
Avira TR/Agent.psxz.445
Baidu-International Trojan.Win32.Waski.F
BitDefender Gen:Variant.Graftor.175463
ClamAV Win.Trojan.Upatre-165
Cyren W32/Trojan.BKZM-6931
DrWeb Trojan.Upatre.125
ESET-NOD32 Win32/TrojanDownloader.Waski.F
Emsisoft Gen:Variant.Graftor.175463 (B)
F-Prot W32/Trojan3.NUW
F-Secure Gen:Variant.Graftor.175463
Fortinet W32/Waski.F!tr
GData Gen:Variant.Graftor.175463
Ikarus Trojan-Downloader.Win32.Upatre
Kaspersky Trojan-Downloader.Win32.Upatre.fbe
Malwarebytes Trojan.FakeMS.ED
McAfee Artemis!E85B4BDFB116
McAfee-GW-Edition BehavesLike.Win32.BadFile.mm
MicroWorld-eScan Gen:Variant.Graftor.175463
Microsoft TrojanDownloader:Win32/Upatre
Qihoo-360 HEUR/QVM19.1.Malware.Gen
Sophos Troj/Dyreza-CB
Symantec Downloader.Upatre
Tencent Win32.Trojan.Inject.Auto
TrendMicro TROJ_UPATRE.YYSO
TrendMicro-HouseCall TROJ_UPATRE.YYSO
VIPRE Win32.Malware!Drop

Email analysis :

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < ushrb@brainkast.com>
NOTE : Received : from unknown (HELO HJPSMPV) (14.168.92.95)

NOTE : Scanned Image

Fax = Trojan

Fax message (Fax #0086091)

http://79.96.148.163/.~NEW_RECEIVED_FAX/incoming.html
Sent date: Thu, 22 Jan 2015 15:00:49 +0000

Fax message (Fax #0458849)

http://pristineusa.com/~_RECEIVED~FAX~MESSAGES/incoming.html
Sent date: Thu, 22 Jan 2015 15:13:35 +0000

Fax message (Fax #3457735)

http://hifafarah.com/._RECEIVED.MESSAGES/incoming-fax_letter.html
Sent date: Thu, 22 Jan 2015 15:26:03 +0000

Fax message (Fax #4644306)

http://89.161.234.149/-_NEW_RECEIVED.FAX_MESSAGES/incoming.fax~letter.html
Sent date: Thu, 22 Jan 2015 15:08:31 +0000

Fax message (Fax #6410561)

http://www.get-the-best.com/~_RECEIVED.FAX_MESSAGES/incoming.html
Sent date: Thu, 22 Jan 2015 15:16:23 +0000

Email analysis for 5 emails :

NOTE : Received : from unknown (HELO my-fax.com) (85.133.33.10)
NOTE : Received : from unknown (HELO my-fax.com) (40.131.4.2)
NOTE : Received : from unknown (HELO my-fax.com) (91.183.230.243)
NOTE : Received : from unknown (HELO my-fax.com) (66.203.160.26)
NOTE : Received : from unknown (HELO my-fax.com) (64.20.199.98)

pristineusa.com whois :

Registrant Name: PRISTINE SOFTWARE
Registrant Organization: PRISTINE SOFTWARE
Registrant Street: 1411 W. Covell Blvd Ste 106
Registrant City: Davis
Registrant State/Province: CA
Registrant Postal Code: 95616
Registrant Country: US
Registrant Phone: +1.5307584484
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: mmadani@pristineusa.com

hifafarah.com whois :

Registrant Name: PERFECT PRIVACY, LLC
Registrant Organization:
Registrant Street: 12808 Gran Bay Pkwy West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.9027492701
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: 24ebf0cf0a16123311014b9d998ad564@domaindiscreet.com

get-the-best.com whois :

Registry Admin ID: Admin Name: Lentz, Eduardo
Admin Organization: Get The Best, Inc.
Admin Street: P.O. Box 18630
Admin City: Boulder
Admin State/Province: CO
Admin Postal Code: 80308
Admin Country: US
Admin Phone: (303) 941-2118
Admin Fax: 999 999 9999
Admin Email: gtbusa@IX.NETCOM.COM

Analysis of link

- CLICK LINK
- DOWNLOAD FILE : (fax_message72933.zip)
- EXTRACT FILE : fax_message23055.exe
- PAGE REDIRECTED TO FAX SERVICE WEBSITE.

Analysis of file

ALYac : Trojan.Upatre.J
AVG : Downloader.Generic14.IJZ
AVware : Trojan-Downloader.Win32.Upatre.ao (v)
Ad-Aware : Trojan.Upatre.J
Agnitum : Trojan.Staser!
AhnLab-V3 : Win-Trojan/Downloader.38400.FA
Antiy-AVL : Trojan/Win32.Staser
Avast : Win32:Trojan-gen
Avira : TR/Dldr.Kryptik.pza
BitDefender : Trojan.Upatre.J
ByteHero : Virus.Win32.Heur.c
CAT-QuickHeal : (Suspicious) - DNAScan
Comodo : TrojWare.Win32.TrojanDownloader.Waski.BA
Cyren : W32/Trojan.NMXE-6820
DrWeb : Trojan.Upatre.125
ESET-NOD32 : Win32/TrojanDownloader.Waski.F
Emsisoft : Trojan.Upatre.J (B)
F-Prot : W32/Trojan3.NHH
F-Secure : Trojan-Downloader:W32/Upatre.J
Fortinet : W32/Kryptik.CWCJ!tr
GData : Trojan.Upatre.J
Ikarus : Trojan-Downloader.Waski
Jiangmin : Trojan/Staser.amk
K7AntiVirus : Trojan-Downloader ( 0049d22b1 )
K7GW : Trojan-Downloader ( 0049d22b1 )
Kaspersky : Trojan.Win32.Staser.awvp
Malwarebytes : Trojan.Email.FakeDoc
McAfee : Upatre-FAAJ!3B474BAEAC5F
McAfee-GW-Edition : BehavesLike.Win32.Autorun.nt
MicroWorld-eScan : Trojan.Upatre.J
Microsoft : TrojanDownloader:Win32/Upatre
NANO-Antivirus : Trojan.Win32.Kryptik.dmuguo
Norman : Upatre.FN
Sophos : Troj/Dyreza-AT
Symantec : Downloader.Upatre!gen8
TheHacker : Trojan/Kryptik.cwaa
TotalDefense : Win32/Upatre.IVVGEBC
TrendMicro : TROJ_UPATRE.SMNC
TrendMicro-HouseCall : TROJ_UPATRE.SMNC
VIPRE : Trojan-Downloader.Win32.Upatre.ao (v)
nProtect : Trojan/W32.Agent.38400.XP

Incoming Fax Report

************************************
INCOMING FAX REPORT
************************************

Date/Time: Tuesday, 21.01.2015
Speed: 123bps
Connection time: 01:06
Page: 3
Resolution: Normal
Remote ID: 871-748-171158
Line number: 9
DTMF/DID:
Description: Internal only

************************************

FAX-id9123912481712931.zip

Email analysis :

NOTE : no-reply@premium-fax.com
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Return-Path : < respellsrcwe1918@regalix.com >
NOTE : Remote : 82.130.246.56 (56.82-130-246.static.clientes.euskaltel.es)
NOTE : Incoming Fax Report

FAX-id9123912481712931.zip analysis :

AVG Generic36.ARVN 20150122
AVware Trojan.Win32.Generic!BT 20150122
Ad-Aware Trojan.GenericKD.2099790 20150122
Avast Win32:Trojan-gen 20150122
Avira TR/Crowti.A.152 20150122
BitDefender Trojan.GenericKD.2099790 20150122
CMC Trojan.Win32.Krap.2!O 20150120
Cyren W32/Trojan.SNJZ-4571 20150122
DrWeb Trojan.Encoder.514 20150122
ESET-NOD32 Win32/Filecoder.CO 20150122
Emsisoft Trojan.GenericKD.2099790 (B) 20150122
F-Prot W32/Trojan3.NGI 20150122
F-Secure Trojan.GenericKD.2099790 20150122
GData Trojan.GenericKD.2099790 20150122
Ikarus Trojan-Spy.Agent 20150122
K7AntiVirus Trojan ( 7000000c1 ) 20150122
K7GW Trojan ( 7000000c1 ) 20150122
Kaspersky Trojan-Ransom.Win32.Blocker.gkdv 20150122
McAfee Artemis!20834704BF1B 20150122
MicroWorld-eScan Trojan.GenericKD.2099790 20150122
Microsoft Ransom:Win32/Crowti.A 20150122
Qihoo-360 Win32/Trojan.Multi.daf 20150122
Sophos Mal/DrodZp-A 20150122
Symantec Trojan.Cryptolocker.F 20150122
Tencent Win32.Trojan.Inject.Auto 20150122
TrendMicro TROJ_FILECODER.K 20150122
TrendMicro-HouseCall Suspicious_GEN.F47V0121 20150122
VIPRE Trojan.Win32.Generic!BT 20150122
nProtect Trojan.GenericKD.2099790 20150122

Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://spitalcuzavodaiasi.ro/CUSTOMER.DOCUMENT-STORAGE-DATA/get_invoice_document.html
DOCUMENT LINK: http://lamichelangelo.it/CUSTOMER-DOCUMENT-STORAGE_DATA/get_last_document.html
DOCUMENT LINK: http://www.trans-arts.com/CUSTOMER~DOCUMENT-DATA/last-invoice-document.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

Email analysis :

NOTE : no-replay@invoice.com
NOTE : User-Agent : Roundcube Webmail/1.1.1
NOTE : Received : from unknown (HELO invoice.com) (37.191.103.140)
NOTE : Received : from unknown (HELO invoice.com) (69.42.188.58)
NOTE : Received : from unknown (HELO invoice.com) (80.156.199.162)

Process Analysis :

CLICK : one of the three links.
DOWNLOAD : invoice_pdf80985.zip
EXTRACT : invoice_pdf40132.exe

invoice_pdf40132.exe analysis :

AVG : Crypt3.BTYL : 20150122
Ad-Aware : Gen:Variant.Zbot.154 : 20150122
AhnLab-V3 : Spyware/Win32.Zbot : 20150122
Avast : Win32:Malware-gen : 20150122
BitDefender : Gen:Variant.Zbot.154 : 20150122
CMC : Packed.Win32.Katusha.3!O : 20150120
Cyren : W32/Trojan.RHQS-4975 : 20150122
DrWeb : Trojan.Upatre.128 : 20150122
ESET-NOD32 : Win32/TrojanDownloader.Waski.F : 20150122
Emsisoft : Gen:Variant.Zbot.154 (B) : 20150122
F-Prot : W32/Trojan3.NGH : 20150122
F-Secure : Gen:Variant.Zbot.154 : 20150122
GData : Gen:Variant.Zbot.154 : 20150122
K7AntiVirus : Trojan-Downloader ( 0049d22b1 ) : 20150122
Kaspersky : Trojan.Win32.Staser.awtk : 20150122
Malwarebytes : Trojan.Email.FakeDoc : 20150122
McAfee : Downloader-FAHF!01F769E9BD9A : 20150122
MicroWorld-eScan : Gen:Variant.Zbot.154 : 20150122
Qihoo-360 : Malware.QVM20.Gen : 20150122
Rising : PE:Malware.FakePDF@CV!1.9C3A : 20150121
Sophos : Troj/Dyreza-AM : 20150122
Symantec : Downloader.Upatre : 20150122
nProtect : Trojan/W32.Agent.15872.TX : 20150122

Virus from Essex...

Virus relayed from essex.org.uk :


Voice Message #0168935504
====================================
NOTE : X-Remote : 208.118.175.61 ()
NOTE : X-Sender : martin.smith@essex.org.uk
NOTE : Content-Type : text/plain; charset=US-ASCII; format=flowed
NOTE : Received : from unknown (HELO essex.org.uk) (208.118.175.61)
NOTE : Received : from domain.local (domain.local [192.168.0.25]) by essex.org.uk (Postfix)
NOTE : User-Agent : Roundcube Webmail/1.0.1
NOTE : Return-Path : < martin.smith@essex.org.uk >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Voice Message #0168935504
====================================
Voice redirected message

http://zorcorp.com/bankline/message.php
Sent: Thu, 13 Nov 2014 12:18:30 +0000
====================================


Voice Message #0461019860
====================================
NOTE : X-Remote : 50.246.114.145 (mail.nbaccorp.com)
NOTE : X-Sender : martin.smith@essex.org.uk
NOTE : Content-Type : text/plain; charset=US-ASCII; format=flowed
NOTE : Received : from mail.nbaccorp.com (HELO essex.org.uk) (50.246.114.145)
NOTE : Received : from domain.local (domain.local [192.168.0.25]) by essex.org.uk (Postfix)
NOTE : User-Agent : Roundcube Webmail/1.0.1
NOTE : Return-Path :
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Voice Message #0461019860
====================================
Voice redirected message

http://vsrwhitefish.com/bankline/message.php
Sent: Thu, 13 Nov 2014 12:16:02 +0000
====================================


Voice Message #0479943726
====================================
NOTE : X-Remote : 82.79.67.81 (impress.ro)
NOTE : X-Sender : martin.smith@essex.org.uk
NOTE : Content-Type : text/plain; charset=US-ASCII; format=flowed
NOTE : Received : from impress.ro (HELO essex.org.uk) (82.79.67.81)
NOTE : Received : from domain.local (domain.local [192.168.0.25]) by essex.org.uk (Postfix)
NOTE : User-Agent : Roundcube Webmail/1.0.1
NOTE : Return-Path : < martin.smith@essex.org.uk >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Voice Message #0479943726
====================================
Voice redirected message

http://vietnamflight.vn/bankline/message.php
Sent: Thu, 13 Nov 2014 12:38:01 +0000
====================================


Voice Message #0830285419
====================================
NOTE : X-Remote : 209.76.245.60 ()
NOTE : X-Sender : martin.smith@essex.org.uk
NOTE : Content-Type : text/plain; charset=US-ASCII; format=flowed
NOTE : Received : from unknown (HELO essex.org.uk) (209.76.245.60)
NOTE : Received : from domain.local (domain.local [192.168.0.25]) by essex.org.uk (Postfix)
NOTE : User-Agent : Roundcube Webmail/1.0.1
NOTE : Return-Path : < martin.smith@essex.org.uk >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Voice Message #0830285419
====================================
Voice redirected message

http://karich.com.my/bankline/message.php
Sent: Thu, 13 Nov 2014 11:59:55 +0000
====================================


Voice Message #1032155137
====================================
NOTE : X-Remote : 173.10.48.121 (173-10-48-121-michigan.hfc.comcastbusiness.net)
NOTE : X-Sender : martin.smith@essex.org.uk
NOTE : Content-Type : text/plain; charset=US-ASCII; format=flowed
NOTE : Received : from 173-10-48-121-michigan.hfc.comcastbusiness.net (HELO essex.org.uk) (173.10.48.121)
NOTE : Received : from domain.local (domain.local [192.168.0.25]) by essex.org.uk (Postfix)
NOTE : User-Agent : Roundcube Webmail/1.0.1
NOTE : Return-Path : < martin.smith@essex.org.uk >
NOTE : Mime-Version : 1.0
NOTE : Content-Transfer-Encoding : 7bit
NOTE : Voice Message #1032155137
====================================
Voice redirected message

http://zorcorp.com/bankline/message.php
Sent: Thu, 13 Nov 2014 12:41:17 +0000
====================================


Domains related to scams :


====================================
http://karich.com.my/bankline/message.php
====================================
Registrant Name: Joanne Chin Karich
Registrant Street: Sdn Bhd No.1, Jalan 27 A, Kawasan 16, Sungai Rasa
Registrant City: 41300 Kuala Lumpur Wilayah Persekutuan
Registrant Country : Malaysia
Registrant Phone : (Tel) 03-33928488 (Fax) 03-33929069
Registrant Email : joanne@karich.com.my
====================================

====================================
http://zorcorp.com/bankline/message.php
====================================
Registrant Name : john zorbas
Registrant Street : 80 collard st. suite 200
Registrant City : toronto
Registrant State/Province : ON
Registrant Postal Code : m5r1g2
Registrant Country : CA
Registrant Phone : +1.4165646882
Registrant Email : zorcorp@rojers.blackberry.net
====================================

====================================
http://vietnamflight.vn/bankline/message.php
====================================
Registrant Name : Công ty NetNam
Registrant Owner Name : Công Ty TNHH Du Lịch Châu Á Thái Bình Dương
DNS : ns1.sapatours.com , ns2.sapatours.com
====================================

====================================
http://vsrwhitefish.com/bankline/message.php
====================================
Registrant Name : Betty Luderman
Registrant Organization : Village Square Realty
Registrant Street : 411 Spokane Ave
Registrant City : Whitefish
Registrant State/Province : MT
Registrant Postal Code : 59937
Registrant Country : US
Registrant Phone : +1.4068623541
Registrant Email : bettylud@bresnan.net
====================================


Scam.cz action :


====================================
- Clicking one of the link.
- Download : Secure-messageBankline_pdf.zip
- Open : Secure-messageBankline_pdf.zip
- Redirect to http://www.rbs.co.uk/corporate/electronic-services/g2/datalink.ashx
- Analysis : Secure-messageBankline_pdf.zip
====================================


Secure-messageBankline_pdf.zip is a trojan :


====================================
AVG : Luhe.Fiha.A
AVware : Win32.Malware!Drop
Ad-Aware : Trojan.GenericKD.1973036
Avira : TR/Crypt.ZPACK.94167
Baidu-International : Trojan.Win32.Battdil.bI
BitDefender : Trojan.GenericKD.1973036
Cyren : W32/Trojan.YDSE-4442
DrWeb : Trojan.Upatre.115
ESET-NOD32 : Win32/Battdil.I
Emsisoft : Trojan.GenericKD.1973036 (B)
F-Prot : W32/Trojan3.MDD
F-Secure : Trojan-Downloader:W32/Upatre.I
Fortinet : W32/Upatre.BTC!tr
GData : Trojan.GenericKD.1973036
Ikarus : Trojan-Spy.Zbot
Kaspersky : Trojan.Win32.Staser.aqlf
Malwarebytes : Trojan.Upatre
McAfee : Artemis!C852DFF3E4DE
MicroWorld-eScan : Trojan.GenericKD.1973036
Microsoft : TrojanDownloader:Win32/Upatre
Norman : Upatre.FH
Qihoo-360 : HEUR/QVM20.1.Malware.Gen
Sophos : Troj/Zbot-JFC
Symantec : Downloader.Upatre
TrendMicro : TROJ_INJECT.WJSP
====================================

Nota Fiscal Eletrônica

INFORMAMOS QUE O LINK DA NOTA FÍSCAL ENVIADA ANTERIORMENTE FOI CORROMPIDO,
EM FUNÇÃO DISTO, ESTAMOS DISPONIBILIZANDO UM NOVO LINK PARA DOWNLOAD.
PEDIMOS DESCULPAS PELOS TRANSTORNOS.

Segue Anexo a Nota Fiscal Eletrônica de Serviços, emitida em SETEMBRO/2014.

Este arquivo deve ser armazenado.

NF-E- Emitida.PDF

004361097000577215001000052842100874662-ProcNfe.PDF

Prezado Cliente(a)

Segue em anexo a cópia da NOTA FISCAL em PDF onde está a relação dos pedidos e demais detalhes do pagamento. Informamos que o valor foi debitado com sucesso! Qualquer dúvida em relação aos pedidos entrar em contato conosco que explicaremos!

Atenciosamente,
Ricardo B. Santos
Setor Financeiro.

Este email está limpo de vírus e malwares porque a proteção do avast! Antivírus está ativa.

Email analysis :

NOTE : X-Antivirus-Status : Clean
NOTE : Return-Path : < sac.ba@termaco.com.br >
NOTE : Mime-Version : 1.0
NOTE : X-Virus-Scanned : amavisd-new at mail.termaco.com.br
NOTE : Message-Id : < *@BRASILPC >
NOTE : X-Antivirus : avast! (VPS 141027-2, 27/10/2014), Outbound message
NOTE : Received : from mail.termaco.com.br (200.217.161.6)
NOTE : Received : from brasil2014-PC (unknown [179.155.140.18])
NOTE : by mail.termaco.com.br (Postfix)
NOTE : Nota Fiscal Eletrônica

Link analysis :

CLICK : 004361097000577215001000052842100874662-ProcNfe.PDF
OPEN : http://ge.tt/api/1/files/7EMX4r22/0/blob?download
DOWNLOAD : Reemissão de Nota N 9038312-01.rar

Virus analysis :

Comodo : TrojWare.Win32.TrojanDownloader.Delf.SAD : 20141028
ESET-NOD32 : a variant of Win32/TrojanDownloader.Banload.ULY : 20141028
Kaspersky : HEUR:Trojan-Downloader.Script.Generic : 20141028

Your document

To view your document, please open attachment.

< document_1425792.pdf.zip >

Virus analysis :

Ad-Aware Trojan.GenericKD.1928929
Avast Win32:Malware-gen
Avira TR/Crypt.Xpack.88959
BitDefender Trojan.GenericKD.1928929
Cyren W32/Trojan.JOFL-9265
ESET-NOD32 a variant of MSIL/Injector.FWC
F-Prot W32/Trojan3.LMV
Fortinet MSIL/FWC!tr
Ikarus Backdoor.Androm
Kaspersky Trojan.Win32.Inject.tbsl
Malwarebytes Trojan.MSIL.Injector
McAfee Artemis!94EA6E94CF43
MicroWorld-eScan Trojan.GenericKD.1928929
Qihoo-360 Win32/Trojan.Multi.daf
Rising PE:Malware.FakePDF@CV!1.9C3A
Sophos Troj/MSIL-APK
Tencent Win32.Trojan.Inject.Auto
TrendMicro-HouseCall TROJ_GE.C9ACEC0C

Email analysis :

NOTE : Return-Path : < no-reply@97e2896c.skybroadband.com >
NOTE : Received : from 97e2896c.skybroadband.com (151.226.137.108)

NOTE : Message-Id : < I1N3IJT6.6426198@robtec.com >
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="----=_NextPart_000_0006_*"
NOTE : X-Remote : 151.226.137.108 (97e2896c.skybroadband.com)

NOTE : Your document

Alert Transactions Report by users from 2014-09-28 to 2014-09-28

Your requested report is attached here.

< transact_store.zip >

Email analysis :

NOTE : Return-Path :
NOTE : Received : from unknown (HELO pulik.in) (41.216.215.152)

NOTE : Received : from [177.140.36.115] (helo=mgroiipvpbw.iyxefpsmk.ua)

NOTE : X-Mailer : The Bat! (v3.71.14) Professional

NOTE : X-Priority : 3 (Normal)
NOTE : Message-Id : < *.*@nwhxppulruhvq.ecbucf.net >
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="----------*"
NOTE : Alert Transactions Report by users from 2014-09-28 to 2014-09-28

Virus analysis :

AVG : MSIL5.RCS
Ad-Aware : Trojan.Agent.BFYC
Avira : TR/Crypt.Xpack.98991
Baidu-International : Trojan.Win32.Wauchos.bAF
BitDefender : Trojan.Agent.BFYC
ESET-NOD32 : Win32/TrojanDownloader.Wauchos.AF
Emsisoft : Trojan.Agent.BFYC (B)
F-Secure : Trojan.Agent.BFYC
Fortinet : W32/Wauchos.AF!tr
GData : Trojan.Agent.BFYC
Ikarus : Win32.Outbreak
Kaspersky : Backdoor.Win32.Androm.fcxu
McAfee : Artemis!182EE0F73CD9
MicroWorld-eScan : Trojan.Agent.BFYC
Qihoo-360 : HEUR/QVM03.0.Malware.Gen
Sophos : Troj/Zbot-JAQ
Symantec : Backdoor.Trojan
Tencent : Win32.Trojan.Inject.Auto
TheHacker : W32/Bagle.gen.pwdzip5
TrendMicro : TROJ_WAUCHOS.WFB

Fax Report

*************************************
INCOMING FAX REPORT
*************************************

Date/Time: Thursday, 02.10.2014
Speed: 474bps
Connection time: 09:08
Page: 5
Resolution: Normal
Remote ID: 811-748-179982
Line number: 9
DTMF/DID:
Description: Internal only

*************************************
< fax00842121453281728.zip >

Virus analysis :
===================================================
AVG : Crypt3.ASZZ
Avast : Win32:Trojan-gen
Avira : TR/Crypt.ZPACK.102086
Baidu-International : Trojan.Win32.Filecoder.bCO
BitDefender : Trojan.GenericKD.1896987
Bkav : W32.HfsAutoA.D289
ClamAV : Zip.Suspect.ExecutableFax-zippwd-1
Cyren : W32/Trojan.GDDK-5927
ESET-NOD32 : Win32/Filecoder.CO
F-Prot : W32/Trojan3.LBO
F-Secure : Trojan:W32/Agent.DVSR
Ikarus : Trojan-Ransom.CryptoWall
K7AntiVirus : Trojan ( 7000000c1 )
K7GW : Trojan (7000000c1)
McAfee : RDN/Generic.dx!dfz
Sophos : Mal/DrodZp-A
Symantec : Trojan.Cryptodefense
Tencent : Win32.Trojan.Inject.Auto
TrendMicro : TROJ_RANSOM.YMJJ
===================================================

Mail analysis :
===================================================
NOTE : ugo.orlando@toutattache.com
NOTE : Return-Path : < underwriteye@rjsinger.com >
NOTE : Received : from unknown (HELO KJIONYSKE) (91.186.207.186)

NOTE : Message-Id : < 94K3LVMS.2835547@rjsinger.com >
NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
NOTE : Mime-Version : 1.0
NOTE : Content-Type : multipart/mixed; boundary="------------020006060602000502040307"
NOTE : Fax Report
===================================================

Fax Report Virus

************************************
INCOMING FAX REPORT
************************************

Date/Time: Monday, 15.09.2014
Speed: 742bps
Connection time: 02:05
Page: 6
Resolution: Normal
Remote ID: 961-748-175192
Line number: 2
DTMF/DID:
Description: Internal only

************************************

< fax0082716711362511.zip >

Virus analysis :
==================================
AVG : Inject2.AVZG : 20140916
Ad-Aware : Trojan.GenericKD.1863035 : 20140916
Avast : Win32:Trojan-gen : 20140916
Avira : TR/Crypt.ZPACK.65977 : 20140916
Baidu-International : Trojan.Win32.Ransom.AR : 20140916
BitDefender : Trojan.GenericKD.1863035 : 20140916
CMC : Trojan.Win32.Swizzor.2!O : 20140916
Cyren : W32/Trojan.PSFN-7581 : 20140916
DrWeb : Trojan.Encoder.514 : 20140916
ESET-NOD32 : Win32/Filecoder.NCE : 20140916
Emsisoft : Trojan.GenericKD.1863035 (B) : 20140916
F-Prot : W32/Trojan3.KSP : 20140916
F-Secure : Trojan.GenericKD.1863035 : 20140916
GData : Trojan.GenericKD.1863035 : 20140916
Ikarus : Trojan-Spy.Agent : 20140916
K7AntiVirus : Trojan ( 7000000c1 ) : 20140915
K7GW : Trojan ( 7000000c1 ) : 20140915
Kaspersky : Trojan-Ransom.Win32.Cryptodef.bmw : 20140916
McAfee : RDN/Suspicious.bfr!bh : 20140916
MicroWorld-eScan : Trojan.GenericKD.1863035 : 20140916
Microsoft : Ransom:Win32/Crowti.A : 20140916
Panda : Trj/Chgt.F : 20140915
Qihoo-360 : HEUR/Malware.QVM07.Gen : 20140916
Sophos : Mal/DrodZp-A : 20140916
Symantec : Trojan.Cryptodefense : 20140916
Tencent : Win32.Trojan.Inject.Auto : 20140916
TrendMicro : TROJ_RANSOM.YMJH : 20140916
TrendMicro-HouseCall : TROJ_RANSOM.YMJH : 20140916
nProtect : Trojan.GenericKD.1863035 : 20140916
==================================

NatWest link for Virus

NatWest Logo

You have a new private message from NatWest

To view/read this your secure message please click here

Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.

Footer Logo NatWest

To unsubscribe please click here

National Westminster Bank Plc. All rights, save as expressly granted, are reserved. Reproduction in any form of any part of the contents of this website without our prior written consent is prohibited unless for personal use only.

Email analysis :
=================================================
NOTE : Return-Path : < denqv@bpbcorp.com >
NOTE : Received : from unknown (HELO localhost) (113.167.221.144)

NOTE : User-Agent : Mozilla/5.0 (Windows NT 6.1; rv:24.0)
NOTE : Gecko/20100101 Thunderbird/24.2.0
NOTE : You have received a new secure message from NatWest
=================================================

Link analysis :
=================================================
NOTE : Click "To view/read this your secure message please click here"
NOTE : Open "http://high-hollin.org/nrhscgfayh/rxyxzmsbsy.html"
NOTE : A new download is processed :

NOTE : File "SecureMessage.zip" from http://www.explicacoesmagicmath.pt
NOTE : File "SecureMessage.zip" is a VIRUS !
=================================================

Virus analysis (DEF 20140916) :
=================================================
AVware : Win32.Malware!Drop
Avira : TR/ATRAPS.A.1717
Baidu-International : Trojan.Win32.Upatre.ABlK
DrWeb : Trojan.DownLoad3.34292
ESET-NOD32 : Win32/TrojanDownloader.Waski.A
Ikarus : Trojan-Spy.Agent
K7AntiVirus : Trojan (7000000c1)
K7GW : Trojan(7000000c1)
Kaspersky : Trojan-Downloader.Win32.Upatre.avh
Kingsoft : VIRUS_UNKNOWN
Malwarebytes : Trojan.Upatre
McAfee : Artemis!AE3D2F8620F0
Microsoft : TrojanDownloader:Win32/Upatre.AA
Panda : Trj/Chgt.F
Qihoo-360 : HEUR/QVM20.1.Malware.Gen
Sophos : Mal/DrodZp-A
Symantec : Trojan.Zbot
Tencent : Win32.Trojan-downloader.Upatre.Wqmz
VIPRE : Win32.Malware!Drop
ViRobot : Trojan.Win32.S.Agent.20992.PD
=================================================

Whois Analysis :
=================================================
high-hollin.org
=================================================
Domain Name:HIGH-HOLLIN.ORG
Domain ID: D153034212-LROR
Creation Date: 2008-06-20T18:34:26Z
Updated Date: 2012-06-19T08:02:22Z
Registry Expiry Date: 2015-06-20T18:34:26Z
Sponsoring Registrar:Tucows Inc. (R11-LROR)
Sponsoring Registrar IANA ID: 69
Domain Status: ok
Registrant ID:tuMZ59PcSs2k5l1K
Registrant Name:Douglas McCowen
Registrant Organization:None
Registrant Street: Riverside Barn
Registrant City:Winford- BRISTOL
Registrant State/Province:Avon
Registrant Postal Code:BS408HJ
Registrant Country:GB
Registrant Phone:+44.7985466869
Registrant Email:dhl_mccowen@hotmail.com
Admin ID:tuMZ59PcSs2k5l1K
Admin Name:Douglas McCowen
Admin Organization:None
Admin Street: Riverside Barn
Admin City:Winford- BRISTOL
Admin State/Province:Avon
Admin Postal Code:BS408HJ
Admin Country:GB
Admin Phone:+44.7985466869
Admin Email:dhl_mccowen@hotmail.com
Tech ID:tu9LIBi0nseyvCgJ
Tech Name:Pickaweb Limited Domains Dpt
Tech Organization:Pickaweb Limited
Tech Street: 7 Marlow Copse
Tech City:Chatham
Tech State/Province:Kent
Tech Postal Code:ME59DP
Tech Country:GB
Tech Phone:+44.8712180841
Tech Email:domains@pickaweb.co.uk
Name Server:NS7.UKHOSTSUPPORT.COM
Name Server:NS8.UKHOSTSUPPORT.COM
=================================================
explicacoesmagicmath.pt
=================================================
Domain Name: explicacoesmagicmath.pt
Creation Date (dd/mm/yyyy): 04/02/2013
Expiration Date (dd/mm/yyyy): 03/02/2015
Status: ACTIVE

Registrant

Francisco Cascao
Rua Francisco sa Miranda Lt 7
538
2975 538

Email: franciscocascao@iol.pt

Entidade Gestora / Billing Contact
EASYHOST - SERVI?OS INTERNET, UNIPESSOAL LDA
Email: dns@easyhost.pt
RACKSPOT LDA
Email: helpdesk@rackspot.com
Nameserver: explicacoesmagicmath.pt NS a.ns.rackspot.com.
Nameserver: explicacoesmagicmath.pt NS b.ns.rackspot.com.
=================================================

Rép : Swift Payment Confirmation.

Good day,

I tried calling you, but couldn't reach you, Please find attached swift copy of payment made today, And kindly get back to me with all necessary document for shipment.

7/09/14 14:12:20 LOcalOutAcks-2536-0883793

--------------------Instance Type Transission--------------------

Notification (Transmission) of Original sent to SWFT (ACK) Nerwork Delivcr Status Nerwork Ack

Priorty/Delivcry:

Normal

Swift Lnput:

FIN 103 Single Customer Credit Transfer

Sender:

CORUTZTZXXX
CRDB BANK LIMTTED
DAR ES SALAAMTZ

Receivr :

CITTUS32XXX
CITTBANK N.A
NEW YORK ,NY US

---------------------Message Text--------------------

20:Sender's Reference
986/25LUMUMBA
23B:Bank Operation CodcCRED
32A:Val Dte/Curr/Interbnk Settld Amt
Date:7 September 2014
Currency:USD (US DOLLAR)
50K:Ordering Customer- Name & Address

---------------------Message Text--------------------

{CHK:GDF65HET676F}
PKI Signature: MAC-Equivalcnt

---------------------Intervtions---------------------

Caiegory:Nerwork Report
Creation Time:7/09/14 14:12:20
Application:SWTFT Interface
Operato:Systern
Text{1:G2CORUTZTZAXXX4800211}{5189:1331566}{7761:0}{209267349056400}

Regards
Asjad Sayeed/Northern Tannery

Sent from my iPhone

< TT copy.7z >

Virus Analysis :

AVG Inject2.AUZR 20140911
Ad-Aware Gen:Variant.Zusy.105684 20140911
Avira TR/Betabot.A.178 20140911
Baidu-International Trojan.Win32.Neurevt.aJXs 20140911
BitDefender Gen:Variant.Zusy.105684 20140911
Cyren W32/Ransom.QLKF-8999 20140911
DrWeb Trojan.PWS.Stealer.13199 20140911
ESET-NOD32 a variant of Win32/Injector.BLNI 20140911
Emsisoft Gen:Variant.Zusy.105684 (B) 20140911
F-Secure Gen:Variant.Zusy.105684 20140911
Fortinet W32/Neurevt.API!tr 20140911
GData Gen:Variant.Zusy.105684 20140911
Ikarus Trojan.Crypt 20140911
K7AntiVirus Riskware ( 0040eff71 ) 20140910
K7GW Riskware ( 0040eff71 ) 20140910
Kaspersky Trojan.Win32.Neurevt.api 20140911
Kingsoft VIRUS_UNKNOWN 20140911
MicroWorld-eScan Gen:Variant.Zusy.105684 20140911
NANO-Antivirus Trojan.Win32.Stealer.derrjx 20140911
Panda Trj/CI.A 20140910
Sophos Troj/Inject-BCM 20140911
TrendMicro TROJ_GEN.R00JC0EIA14 20140911

Mail analysis :

NOTE : Received : from ebeautiquestore.com (203.175.170.39)

NOTE : Received : from User (unknown [69.26.211.159]) by ebeautiquestore.com

Rép : Copy of Shipping Document

Good day,

Attached is the draft copy of your shipping documents including the bill of lading. Kindly check and confirm if every thing is OK so we can proceed with the original documents.

Yanni SHO

Senior Customer Service Executive

Sales & Marketing Dept.

MAERSK SHIPPING LINE S.A.

Main Line: +86 6775 7800
Direct Line: +865 6799 1182
Main Fax: +65 6775 7079
www.***.com

« MAERSK SHIPPING LINE S.A.Sailing ahead with passion since 1978 - to know more… » !
© 2014 Microsoft Terms Privacy & cookies Developers English (United States)

< shipping document.7z >

shipping document.7z is a Virus :
==================================================
Ad-Aware Gen:Variant.Zusy.105684 20140908
BitDefender Gen:Variant.Zusy.105684 20140908
Emsisoft Gen:Variant.Zusy.105684 (B) 20140908
F-Secure Gen:Variant.Zusy.105684 20140907
GData Gen:Variant.Zusy.105684 20140908
==================================================

Email :
==================================================
NOTE : Received : from host.smartpoint.in (69.167.141.142)

NOTE : Received : from [69.26.211.159] (port=51168 helo=User)

NOTE : by host.smartpoint.in with esmtpa (Exim 4.82) (envelope-from < maersk.line@mail.ru >)

NOTE : X-Get-Message-Sender-Via : host.smartpoint.in:
NOTE : authenticated_id: importstut@ruthshipping.com
NOTE : Rép : Copy of Shipping Document
==================================================

Rép : Swift Payment Confirmation

Good day,

I tried calling you, but couldn't reach you, Please find attached swift copy of payment made today, And kindly get back to me with all necessary document for shipment.

7/09/14 14:12:20 LOcalOutAcks-2536-0883793

--------------------Instance Type Transission--------------------

Notification (Transmission) of Original sent to SWFT (ACK)
Nerwork Delivcr Status Nerwork Ack
Priorty/Delivcry : Normal
Swift Lnput : FIN 103 Single Customer Credit Transfer

Sender :

CORUTZTZXXX
CRDB BANK LIMTTED
DAR ES SALAAMTZ

Receivr :

CITTUS32XXX
CITTBANK N.A
NEW YORK ,NY US

---------------------Message Text--------------------

20: Sender's Reference 986/25LUMUMBA
23B: Bank Operation Codc CRED
32A: Val Dte/Curr/Interbnk Settld Amt
Date : 7 September 2014
Currency : USD (US DOLLAR)
50K: Ordering Customer- Name & Address

---------------------Message Text--------------------

{CHK:GDF65HET676F}
PKI Signature: MAC-Equivalcnt

---------------------Intervtions---------------------

Caiegory :Nerwork Report
Creation Time :7/09/14 14:12:20
Application :SWTFT Interface
Operato :Systern
Text {1:G2CORUTZTZAXXX4800211}{5189:1331566}{7761:0}{209267349056400}

Regards

Asjad Sayeed/Northern Tannery

Sent from my iPhone

< TTcopy.pdf.7z >

TTcopy.pdf.7z is a Virus :
==================================================
Ad-Aware Gen:Variant.Zusy.105684 20140908
BitDefender Gen:Variant.Zusy.105684 20140908
Emsisoft Gen:Variant.Zusy.105684 (B) 20140908
F-Secure Gen:Variant.Zusy.105684 20140907
GData Gen:Variant.Zusy.105684 20140908
MicroWorld-eScan Gen:Variant.Zusy.105684 20140908
Qihoo-360 Malware.QVM10.Gen 20140908
==================================================

Email :
==================================================
NOTE : Return-Path : < asjadsayeed_norther@yahoo.co.in >
NOTE : Received : from host.smartpoint.in (69.167.141.142)

NOTE : Received : from [69.26.211.159] (port=43568 helo=User) by host.smartpoint.in with esmtpa (Exim 4.82)

NOTE : X-Get-Message-Sender-Via : host.smartpoint.in: authenticated_id: importstut@ruthshipping.com
NOTE : Rép : Swift Payment Confirmation
==================================================

rutshipping.com WHOIS :
==================================================
Whois Record Not Available... This domain is not registered.
==================================================

smartpoint.in WHOIS :
==================================================
Domain ID:D4313329-AFIN
Domain Name:SMARTPOINT.IN
Created On:03-Jul-2010 06:30:55 UTC
Last Updated On:04-Jul-2011 04:21:17 UTC
Expiration Date:03-Jul-2016 06:30:55 UTC
Sponsoring Registrar:GoDaddy.com, LLC (R101-AFIN)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:CR51331545
Registrant Name:Domain Manager
Registrant Organization:SmartPoint Technologies Pvt Ltd
Registrant Street1:Type II/17, Dr. VSI Estate,
Registrant Street2:Thiruvanmiyur
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600041
Registrant Country:IN
Registrant Phone:+91.4442005353
Admin ID:CR51331549
Admin Name:Domain Manager
Admin Organization:SmartPoint Technologies Pvt Ltd
Admin Street1:Type II/17, Dr. VSI Estate,
Admin Street2:Thiruvanmiyur
Admin City:Chennai
Admin State/Province:Tamil Nadu
Admin Postal Code:600041
Admin Country:IN
Admin Phone:+91.4442005353
Tech ID:CR51331547
Tech Name:Domain Manager
Tech Organization:SmartPoint Technologies Pvt Ltd
Tech Street1:Type II/17, Dr. VSI Estate,
Tech Street2:Thiruvanmiyur
Tech State/Province:Tamil Nadu
Tech Postal Code:600041
Tech Country:IN
Tech Phone:+91.4442005353
Name Server:NS.LIQUIDWEB.COM
Name Server:NS1.LIQUIDWEB.COM
DNSSEC:Unsigned
==================================================

Urgent Order P.O #64535 Signed

Good day,

One of our valuable customer introduced your company to us and we like to place a order with your company,
We need your product for a huge Government Contract supply.

Attached is our signed PURCHASE ORDER made from your list of your products that we want to order.

Kindly send us proforma invoice with payment method for urgent remitance

Your quick reply will be appreciated.

Hazan Malik
Dharma Trading Co.
Add: Box No. 64556, Dubai, Emirates - Manager
Direct Line: +01 917-864-8849
www.***.com

< PO 64535.7z >

AVG Inject2.AUJF 20140905
Ad-Aware Trojan.GenericKD.1843216 20140906
Baidu-International Trojan.Win32.Injector.bBLHL 20140905
BitDefender Trojan.GenericKD.1843216 20140906
ESET-NOD32 a variant of Win32/Injector.BLHL 20140905
Emsisoft Trojan.GenericKD.1843216 (B) 20140906
F-Secure Trojan.GenericKD.1843216 20140906
Fortinet W32/BLHL!tr 20140906
GData Trojan.GenericKD.1843216 20140906
MicroWorld-eScan Trojan.GenericKD.1843216 20140906

RE: Packing List and Invoice

Hi ,

We have loaded your the truck .

It will arrive on 09/09 before 17:00 but I probably will tomorrow confirm the time exactly.

Here is the packing list and invoice.

Kind regards,

Myriam
Logistics Department
< INVOICE.pdf.7z >

AVG Inject2.AUJF 20140905
Ad-Aware Trojan.GenericKD.1843216 20140906
Baidu-International Trojan.Win32.Injector.bBLHL 20140905
BitDefender Trojan.GenericKD.1843216 20140906
ESET-NOD32 a variant of Win32/Injector.BLHL 20140905
Emsisoft Trojan.GenericKD.1843216 (B) 20140906
F-Secure Trojan.GenericKD.1843216 20140906
Fortinet W32/BLHL!tr 20140906
GData Trojan.GenericKD.1843216 20140906
MicroWorld-eScan Trojan.GenericKD.1843216 20140906

NOTE : spbmarketing@samlling.com
NOTE : RE: Packing List and Invoice
NOTE : Received : from nov-007-i464.relay.mailchannels.net (HELO relay.mailchannels.net) (46.232.183.18)

NOTE : Received : from artwork.mysitehosted.com (ip-10-236-1-24.us-west-2.compute.internal [10.236.1.24])
NOTE : by relay.mailchannels.net (Postfix)
NOTE : Received : from artwork.mysitehosted.com (artwork.mysitehosted.com [10.253.92.5])
NOTE : Received : from [69.26.211.159] (port=34868 helo=User)

NOTE : by artwork.mysitehosted.com with esmtpa (Exim 4.82)

NOTE : (envelope-from )
NOTE : X-Sender-Id : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Sender-Id : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Mc-Relay : Bad
NOTE : X-Mailchannels-Senderid : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Mailchannels-Auth-Id : arvixe
NOTE : X-Authuser : sales@almadadd.net
NOTE : RE: Packing List and Invoice

RE: New Shipment from China

Good day,

Attached is the draft copy of your shipping documents including the bill of lading. Kindly check and confirm if every thing is OK so we can proceed with the original documents.

Yanni SHO
Senior Customer Service Executive
Sales & Marketing Dept.

MAERSK SHIPPING LINE S.A.
Main Line: +86 6775 7800
Direct Line: +865 6799 1182
Main Fax: +65 6775 7079
www.***.com

« MAERSK SHIPPING LINE S.A.Sailing ahead with passion since 1978 - to know more… » !
© 2014 Microsoft Terms Privacy & cookies Developers English (United States)

< Shipping Doc.7z >

AVG Inject2.AUJF 20140905
Ad-Aware Trojan.GenericKD.1843216 20140906
Baidu-International Trojan.Win32.Injector.bBLHL 20140905
BitDefender Trojan.GenericKD.1843216 20140906
ESET-NOD32 a variant of Win32/Injector.BLHL 20140905
Emsisoft Trojan.GenericKD.1843216 (B) 20140906
F-Secure Trojan.GenericKD.1843216 20140906
Fortinet W32/BLHL!tr 20140906
GData Trojan.GenericKD.1843216 20140906
MicroWorld-eScan Trojan.GenericKD.1843216 20140906

NOTE : Return-Path : < maersk.line@mail.ru >

NOTE : Received : from nov-007-i623.relay.mailchannels.net (HELO relay.mailchannels.net) (46.232.183.177)

NOTE : Received : from artwork.mysitehosted.com (ip-10-213-14-133.us-west-2.compute.internal [10.213.14.133])
NOTE : Received : from artwork.mysitehosted.com (artwork.mysitehosted.com [10.253.92.5])
NOTE : (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:2500 (trex/5.2.13);
NOTE : Received : from [69.26.211.159] (port=37126 helo=User) by artwork.mysitehosted.com with esmtpa (Exim 4.82)

NOTE : (envelope-from )
NOTE : X-Sender-Id : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Sender-Id : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Mailchannels-Senderid : arvixe|x-authuser|sales@almadadd.net
NOTE : X-Mailchannels-Auth-Id : arvixe
NOTE : X-Authuser : sales@almadadd.net
NOTE : RE: New Shipment from China

my new photo ;) (Virus)

my new photo ;)
if you like my photo to send me u photo

< photo.zip >

Virus Analysis :

AVG SHeur4.CBFB 20140830
AVware Trojan.Win32.Generic!BT 20140830
Ad-Aware Trojan.Agent.BEZQ 20140830
AntiVir TR/Dropper.VB.18514 20140830
Avast Win32:Trojan-gen 20140830
BitDefender Trojan.Agent.BEZQ 20140830
ByteHero Virus.Win32.Heur.p 20140830
Cyren W32/Trojan.OVUX-2230 20140830
DrWeb BackDoor.Tishop.122 20140830
ESET-NOD32 Win32/TrojanDownloader.Zurgop.BK 20140830
Emsisoft Trojan.Agent.BEZQ (B) 20140830
F-Secure Trojan.Agent.BEZQ 20140830
GData Trojan.Agent.BEZQ 20140830
Ikarus Trojan.Inject 20140830
Kaspersky Trojan.Win32.Inject.qtsd 20140830
Malwarebytes Spyware.Zbot.ED 20140830
McAfee Dropper-FLO!01BD3D688F14 20140830
McAfee-GW-Edition Dropper-FLO!01BD3D688F14 20140830
MicroWorld-eScan Trojan.Agent.BEZQ 20140830
Sophos Troj/VB-HOC 20140830
Symantec Trojan.Smoaler 20140830
VIPRE Trojan.Win32.Generic!BT 20140830

ASM DLL Analysis :

; Imports from SHELL32.DLL
imp_SHCreateShellItem:
00401000 F4 hlt ; XREF=0x4010ae
00401001 db 0x0e
00401002 db 0x91
00401003 db 0x73
00401004 0000 add byte [ds:eax], al
00401006 0000 add byte [ds:eax], al

; Imports from NETAPI32.DLL
imp_NetGetDCName:
00401008 dd 0xffffffff ; XREF=0x4010a8
0040100c 0000 add byte [ds:eax], al
0040100e 0000 add byte [ds:eax], al

; Imports from MSVBVM60.DLL
imp_ordinal_669:
00401010 dd 0x7294a1bb ; XREF=0x40109c
imp_ordinal_598:
00401014 dd 0x72a0e0f7 ; XREF=0x40108a
imp_ordinal_631:
00401018 dd 0x72a26fe2 ; XREF=0x401090
imp_ordinal_632:
0040101c dd 0x72a2702f ; XREF=0x401096
imp_EVENT_SINK_AddRef:
00401020 dd 0x72a09b74 ; XREF=0x4010c0
imp_DllFunctionCall:
00401024 dd 0x7294a0fd ; XREF=0x401060
imp_EVENT_SINK_Release:
00401028 dd 0x72a09b87 ; XREF=0x4010c6
imp_EVENT_SINK_QueryInterface:
0040102c dd 0x72a09a85 ; XREF=0x4010ba
imp___vbaExceptHandler:
00401030 dd 0x72a247df ; XREF=0x4010b4
imp_ordinal_717:
00401034 dd 0x72a28fe9 ; XREF=0x401066
imp_ProcCallEngine:
00401038 dd 0x72a3d05d ; XREF=0x4010cc
imp_ordinal_535:
0040103c dd 0x72a1c85d ; XREF=0x401084
imp_ordinal_644:
00401040 dd 0x72a1de99 ; XREF=0x401078
imp_ordinal_648:
00401044 dd 0x72a14275 ; XREF=0x401072
imp_ordinal_578:
00401048 dd 0x72a161f8 ; XREF=0x4010a2
imp_ordinal_100:
0040104c dd 0x729435a4 ; XREF=0x4010d2
imp_ordinal_616:
00401050 dd 0x72a26d9a ; XREF=0x40106c
imp_ordinal_544:
00401054 dd 0x72a11c93 ; XREF=0x40107e


My new photo (Virus)

my new photo ;)
if you like my photo to send me u photo

< photo.zip >

AVware Win32.Malware!Drop 20140828
AntiVir TR/MSIL.Agent.NI 20140828
Baidu-International Trojan.MSIL.Injector.bEZZ 20140827
BitDefender Trojan.GenericKD.1826562 20140828
Commtouch W32/Trojan.PGMJ-3916 20140828
DrWeb BackDoor.Tishop.139 20140828
ESET-NOD32 a variant of MSIL/Injector.EZZ 20140828
Emsisoft Trojan.GenericKD.1826562 (B) 20140828
F-Prot W32/Trojan3.KJF 20140828
F-Secure Trojan.MSIL.Agent.NI 20140828
GData Trojan.MSIL.Agent.NI 20140828
Ikarus Trojan-Spy.Zbot 20140828
McAfee Artemis!73783D167D05 20140828
MicroWorld-eScan Trojan.GenericKD.1826562 20140828
Sophos Troj/dnSauce-M 20140828
Symantec Trojan.Smoaler 20140828
TrendMicro TROJ_INJECTO.AA 20140828
TrendMicro-HouseCall TROJ_GE.6E542506 20140828
VIPRE Win32.Malware!Drop 20140828

NOTE : Yulia
NOTE : alsop78@listerecert.in
NOTE : humidifiedq@listerecert.in
NOTE : Received : from unknown (HELO listerecert.in) (64.140.98.14)
NOTE : Received : from unknown (HELO listerecert.in) (120.136.5.116)
NOTE : Received : from [66.73.197.2] (helo=uewtiiljvq.esomvvemzdgo.su)
NOTE : Received : from [20.194.69.113] (helo=twswvwxdpj.xnpcesdflz.net
NOTE : X-Mailer : The Bat! (v3.0.0.15) Home

listerecert.in WHOIS:
================================================
Domain ID:D8695094-AFIN
Domain Name:LISTERECERT.IN
Created On:26-Aug-2014 22:02:58 UTC
Last Updated On:26-Aug-2014 22:03:00 UTC
Expiration Date:26-Aug-2015 22:02:58 UTC
Sponsoring Registrar:Name.com LLC (R65-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:nec08lt7d6gysc7a
Registrant Name:Customer Service
Registrant Organization:
Registrant Street1:Al Arjan, Alrjan building, Messanine
Registrant Street2:4th Floor
Registrant Street3:
Registrant City:Adu Dhabi
Registrant State/Province:Adu Dhabi
Registrant Postal Code:0000
Registrant Country:AE
Registrant Phone:+971.7786547783
Registrant Email:chellebolster@hotmail.com
Admin ID:nec08lt7d6gysc7a
Admin Name:Customer Service
Admin Street1:Al Arjan, Alrjan building, Messanine
Admin Street2:4th Floor
Admin City:Adu Dhabi
Admin State/Province:Adu Dhabi
Admin Postal Code:0000
Admin Country:AE
Admin Phone:+971.7786547783
Admin Email:chellebolster@hotmail.com
Tech ID:nec08lt7d6gysc7a
Tech Name:Customer Service
Tech Organization:
Tech Street1:Al Arjan, Alrjan building, Messanine
Tech Street2:4th Floor
Tech City:Adu Dhabi
Tech State/Province:Adu Dhabi
Tech Postal Code:0000
Tech Country:AE
Tech Phone:+971.7786547783
Tech Email:chellebolster@hotmail.com
Name Server:NS4HMP.NAME.COM
Name Server:NS1HWY.NAME.COM
Name Server:NS3CFP.NAME.COM
Name Server:NS2FJZ.NAME.COM
DNSSEC:Unsigned
================================================

Phishing Apple

Chère Cliente, Cher Client,

Nous vous accusons bonne réception de votre commande effectuée sur notre site Apple et nous vous en remercions. Votre commande est en préparation, vous recevrez un e-mail vous confirmant l'expédition de votre colis. Vous trouverez des informations concernant votre commande et le produit que vous avez commandé ci-dessous.

NUMÉRO DE COMMANDE : U6100484802

Information sur la commande

Date de commande : 08-08-2014 08:18:11 CEST France
Livraison : Transport express

Apple - Macbook - Ordinateur portable 13"(MD760F/A) 1 @ EUR 1366,30 chacun

Descriptif technique :

- Intel Core i5 (4ème génération) 1.3 GHz.
- Rétroéclairage par LED.
- Contrôleur de mémoire intégré, technologie Intel Turbo Boost 2.0.
- Processeur graphique Intel HD Graphics 5000.
- Haut-parleurs stéréo , deux microphones.
- Batterie Technologie Lithium-polymère.
- Caméra Webcam intégrée.
- Mémoire RAM max prise en charge 8 Go.
- Système d'exploitation Apple OS X 10.9 Mavericks.

ASSISTANCE ET SERVICE CLIENTÈLE - http://www.apple.com Service clientèle. Dans l'éventualité d'un probléme concernant votre produit, la facturation ou votre commandes, veuillez contacter notre service de support technique à l'adresse suivante http://www.apple.com. TÉLÉCHARGER VOTRE FACTURE - vous disposez de 7 jours pour télécharger avant l'expiration du lien.

Télécharger Votre facture concernant votre commande U6100484802 du 07 Aout 2014

Veuillez noter que: le nombre d'options disponibles est susceptible de varier en fonction du mode de règlement choisi et de l'état actuel de votre commande.

Total: EUR 1310.40
Frais de Port: EUR 55.90
Total of Order: EUR 1366,30
Copyright © 2014 Apple Inc. Tous droits réservés.

NOTE : contact@apple.com [mailto:contact@apple.com]
NOTE : Accusé de réception de votre commande chez apple.com
NOTE : CLICKED Votre facture concernant votre commande U6100484802 du 07 Aout 2014
NOTE : http://www.factureapple.com/Invoice_U6100484802_Apple.pdf.zip
NOTE : WE HAVE A TROJAN...

Invoice_U6100484802_Apple.pdf.zip DETAIL :
=====================================================
AVG : 71720563AA : 20140819
AVware : Trojan.Zip.Bredozp.b(v) : 20140819
Agnitum : Trojan.DL.Agent!5iZWy0viGN4 : 20140818
AntiVir : HIDDENEXT/Worm.Gen : 20140819
Antiy-AVL : Trojan/Win32.TSGeneric : 20140819
Avast : Win32:Malware-gen : 20140819
ClamAV : Suspect.DoubleExtension-zippwd-15 : 20140819
Comodo : Heur.Dual.Extensions : 20140819
F-Prot : W32/Heuristic-300!Eldorado : 20140819
GData : Archive.Malware.FakeExt.N@susp : 20140819
Jiangmin : Heur:TrojanDropper.WinRar : 20140815
K7AntiVirus : Trojan(7000000c1) : 20140818
K7GW : Trojan(7000000c1) : 20140818
Kaspersky : HEUR:Worm.Script.Generic : 20140819
TrendMicro : HEUR_NAMETRICK.A : 20140819
VIPRE : Trojan.Zip.Bredozp.b (v) : 20140819
=====================================================

factureapple.com HEADER :
=====================================================
Http-Version: 1.1
Status-Code: 200
Status: 200 OK
Date: Thu, 13 Feb 2014 21:19:10 GMT
Server: Apache mod_fcgid/2.3.10-dev
X-Powered-By: PHP/5.4.23
X-Pingback: http://www.factureapple.com/xmlrpc.php
Content-Length: 5439
Content-Type: text/html; charset=UTF-8
=====================================================

factureapple.com DNS :
=====================================================
factureapple.com A 591 IP: 192.186.227.129
factureapple.com NS 3599 Target: pdns04.domaincontrol.com
factureapple.com NS 3599 Target: pdns03.domaincontrol.com
factureapple.com SOA 3599 MNAME: pdns03.domaincontrol.com
RNAME: dns.jomax.net
Serial: 2014020900
Refresh: 28800
Retry: 7200
Expire: 604800
factureapple.com MX 3599 Target: smtp.secureserver.net
factureapple.com MX 3599 Priority: 10
Target: mailstore1.secureserver.net
=====================================================