Worst Virus Attempt Ever

So at work, I receive a copy of all mail sent to the address that we send mail to our users from, meaning  that hundreds of thousands of people have this address sitting in their inbox. As such, I receive lots of virus attempts. The Hallmark fake was a big one, probably because it looked so authentic. It even had me fooled looking at the headers, since it spoofs “hallmark.com” as its outgoing HELO string. (The IP, though, was a residential ISP customer. SPF might catch it, although Hallmark’s SPF record is set to “softfail” mail not from one of their IPs.)

But today, I received an e-mail from a random stranger with this subject line: ^Hi,friend^ download this stuff>>>>>>>>>>>>.  It just contains a link to a website, so, content that it wasn’t a unique URL (e.g., http://spammer.com/confirm_email.php?email_address=helen@n1zyy.com), I clicked through. It was made up to look like a file sharing site, except that it used JavaScript to push a file called SURPRISE.EXE to the user. There was no secret about this, really; the page indicated that you were downloading it. But it didn’t even push it out to you right away; you had to wait for the timer to count down before it prompted you to download it.

I’m really curious if anyone has been infected with this virus. You have to open the shadiest e-mail ever, click a link, wait to download SURPRISE.EXE, and then manually run it. But perhaps I give users too much credit.

Oh, bonus points: the site is its own domain name (registered by someone in the Virgin Islands), and hosted in Africa. Internet access to Africa is quite scarce, so I tend to think the server would get knocked offline if more than a handful of people tried to download it at once anyway.

One thought on “Worst Virus Attempt Ever

  1. The site also includes an iframe from lastcountbest.com, which just consists of a single unescape() line, running some sort of obfuscated code. Trace that domain back and the kind people at antivirus-xp-pro-2009!com are involved. Trace that domains’s nameservers back and suddenly you’re in Russia, though most of the information in the whois records is fake. (Which, BTW, is cause to have the domains suspended.)

Leave a Reply

Your email address will not be published. Required fields are marked *