“Your order # 139290 has been declined” Virus Email

Very similar to the spam run I’ve seen over the last couple of days.

Headers, this time sent from Heart Internet (The previous run was almost all from HostGator):

Received: from mailscan2.extendcp.co.uk (176.32.230.36) by
 AM1FFO11FD015.mail.protection.outlook.com (10.174.64.93) with Microsoft SMTP
 Server (TLS) id 15.1.213.8 via Frontend Transport; Wed, 22 Jul 2015 17:07:04
 +0000
Received: from mailscanlb0.hi.local ([10.0.44.160] helo=mailscan1.hi.local)
	by mailscan-s99.hi.local with esmtp (Exim 4.80.1)
	(envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>)
	id 1ZHxU0-0005Zr-91
	for REDACTED@REDACTED; Wed, 22 Jul 2015 18:07:04 +0100
Received: from mailscanlb0.hi.local ([10.0.44.160] helo=web168.extendcp.co.uk)
	by mailscan1.hi.local with esmtps (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.80.1)
	(envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>)
	id 1ZHxTl-0004e2-Qz
	for REDACTED@REDACTED; Wed, 22 Jul 2015 18:06:53 +0100
Received: from swissknifeshop.co.uk by web168.extendcp.co.uk with local (Exim 4.80.1)
	(envelope-from <swissknifeshop.co.uk@web168.extendcp.co.uk>)
	id 1ZHxTl-0000jl-Dn
	for REDACTED@REDACTED; Wed, 22 Jul 2015 18:06:49 +0100
To: <REDACTED@REDACTED>
Subject: Your order # 139290 has been declined
From: Bert Massey <Bert.Massey@tomra.com>
Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="_ab3df924-62fe-4888-8237-6b2183086e05_"
Message-ID: <E1ZHxTl-0000jl-Dn@web168.extendcp.co.uk>
Date: Wed, 22 Jul 2015 18:06:49 +0100
X-Authenticated-As: swissknifeshop.co.uk@web168.extendcp.co.uk
Return-Path: swissknifeshop.co.uk@web168.extendcp.co.uk

This time the e-mail premise / content has changed to:

From: Bert Massey <Bert.Massey@tomra.com>
Subject: Your order # 139290 has been declined
Attachment: Your order # 139290 has been declined.zip

Dear customer

Your order # 139290 has been declined

Please see attachment for details.

Kind regards,
Bert Massey

and

From: Stevie Santos <StevieSantos@intertek.com>
Subject: Your order # 328503 has been despatched

Dear customer

Your order # 328503 has been despatched

Please see attachment for details.

Sincerely,
Stevie Santos

and

From: Landon Hutchinson <LandonHutchinson@jigsaw24.com>
Subject: Payment Confirmation #291147

Dear Sirs,

Many thanks for your card payment. Please find payment confirmation attached below.

Should you have any queries, please do not hesitate to contact Landon Hutchinson.

Kind regards,

Credit Control Team

Landon Hutchinson

Contained within the “Your order # 139290 has been declined.zip” attachment was a javascript file “Your order # 139290 has been declined.js”.

SHA256 885a9a569294f9a0b1440e3ceafaf52f3cc2d8fdd0521619a49df1557e707b19
and
SHA256 b3fdc27826bbb68b8b3738511f9b1b3b88297f0803508f29cf7b465fbc32f963
SHA256 11f634de051b4828202c621185ffde5e3e481c494056008bdbbe80a188f162e3
SHA256 c7764e3644c4c831ba1b24bffc309d66f1d78c18258d42008aee7938f388514f
SHA256 917a996256ae6b2523c073e78aec1a91919f3b53fc92f3fd531dc474e07f76a7
SHA256 5b2baba3f56b43176ff199c101c023093416e5804427f0e7141cb6de2182236c

See the other article on what the attachment is likely to do. It is likely to drop Cryptowall and encrypt and ransom files.

The second bit of spam went back to HostGator as being the source:

http://www.eurobolico.com/wp-admin/network/network.php
http://personaltrainerchiswick.com/wp-admin/css/css.php
http://cioj.org/wp-includes/js/js.php
http://barriemobi.com/wp-content/plugins/plugins.php

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s