Unleash Your Potential - Namagunga Girls Coding Club
Malware Spam February 2013
1. MALWARE SPAM – FEBRUARY 2013
Sent from
Type - Criminal Sent from compromise Contains my
Total # Type - Type - Type - Type - Type - Background Type - Malicious Malicious Attachment Attachment Attachment Type malformed email d known email address in
Received Viagra Job Green Card Banking LinkedIn Check Other Link Attachment Type - .ZIP Type - .DOC - . PDF header contact "TO" field
Feb-13 32 0 0 0 1 0 0 31 32 0- - - 31 1 4
•Malicious SPAM is defined by me as any unsolicited email that
contains a potential information security risk. This does not include
the usual marketing newsletter emails. Only those for which there is
not a prior affiliation and that make it into my mail box.
2. FEBRUARY 2013 – DETAILS – PAGE 1
Sent
from
Sent from compr
Link Malicious malforme omised
Malicio Shorte Attachme Attachm d email known Contains my email address
Date Type us Link ner Link Masking Link Host Link Risks nt ent Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) in "TO" field
24.99.8.124 - Unknown
beautifulwindowselgin.com
- Unknown 24.99.8.124 - USA (by
yahoo.com comcast.net)
24.99.8.124 - Yes (98.139.245.181) - Yahoo! yahoo.com - USA (by
(cscprotectsbrands.com ) Inc. yahoo.com)
beautifulwindowselgin.com - 701 First Avenue beautifulwindowselgin.com -
No subject y7mail.com 24.99.8.124 Yes (1and1-private- Sunnyvale CA 94089 USA (by 1and1.com)
1 2/02/2013 (blank just a link) Yes No No beautifulwindowselgin.com No Yes Yes (web164906.mail.bf1.yahoo.com) (comcast.net) registration.com) US perfora.net Yes
79.163.19.197 - Poland (by
centertel.pl)
No subject 79.163.19.197 79.163.19.197 (centertel.pl) yahoo.com - USA (by No (yahoo.com listed as
2 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com (centertel.pl) - Poland yahoo.com) recipient)
183.83.50.39 - India (by
No subject 183.83.50.39 - Yes (no Whois beamtele.com) No (tftinteriors.com listed
3 7/02/2013 (blank just a link) Yes Yes - basic amazonaws.com No Yes No yahoo.com 183.83.50.39 record) 183.83.50.39 - Unknown as recipient)
178.221.43.87 - Unknown
0x36.0353.0161.190
(54.235.113.190,
amazonaws.com) 178.221.43.87 - Serbia (by
allsolar.net - (IP telekom.rs)
Yes - Yes - shortener and a allsolar.net redirects to 0x36.0353.0161.190 (resolves 178.221.43.87 - Yes (no Whois 64.95.64.218), allsolar.net - USA (by No (aol.com listed as
4 10/02/2013 Ecard Yes bit.ly redirect to amazonaws.com) No Yes No yahoo.com 178.221.43.87 record) BuyDomains.com smartname.com) recipient)
The executable modifies and destructs files
which are not temporary.
Changes security settings of Internet
Explorer:
188.190.125.50 - Yes (no Whois 188.190.125.50 - Unknown
record)
The executable creates and/or modifies ingenium-gree.ru - Unkown as
ingenium-gree.ru - 188.190.125.50 - Ukraine - by
No subject registry entries. Whois record updated on Unknown (possibly "OOO infiumhost.com)
5 13/02/2013 (blank just a link) Yes No No ingenium-gree.ru No Yes No yahoo.com 188.190.125.50 28/02/2013 Climatrade" via naunet.ru) ingenium-gree.ru - Unkown No (no recipients listed)
The executable modifies and destructs files
which are not temporary.
41.137.74.188 - This prefix is
Changes security settings of Internet used for mobile 3G Internet
Explorer: users on the northern region of
Morocco (via
The executable creates and/or modifies marocconnect.com)
No subject registry entries. 41.137.74.188 - Yes (no Whois N0 (yahoo.com listed as
6 13/02/2013 (blank just a link) Yes No Yes - basic amazonaws.com No Yes No yahoo.com 41.137.74.188 record) 41.137.74.188 - Unknown recipient)
188.190.127.65 - Unknown
(data centre infiumhost.com?)
21pages.com - ( jiwei
information techonogy co.,ltd 188.190.127.65 - Ukraine (via
(21widnows.com) via China infiumhost.com)
No subject 188.190.127.65 - Yes (no Whois Telecom 21pages.com - China (via
7 13/02/2013 (blank just a link) Yes No No 21pages.com No Yes No yahoo.com 188.190.127.65 record) www.bizcn.com) No
193.105.154.31 - Yes (no 193.105.154.31 - Unkown
Whois record) (no Whois record)
technord-gree.ru - Unkown as technord-gree.ru - 193.105.154.31 - Latvia (via city-
Whois record updated on Unknown (possibly "OOO line.eu)
8 13/02/2013 Random poem Yes No No technord-gree.ru No Yes No yahoo.com 193.105.154.31 28/02/2013 Climatrade" via naunet.ru) technord-gree.ru - Unknown No
3. FEBRUARY 2013 – DETAILS – PAGE 2
Sent
from
Sent from compro
Link malformed mised
Maliciou Shorten Malicious Attachme email known Contains my email address in
Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field
176.99.4.139 - Unkown (no
176.99.4.139 - Yes (no Whois Whois record)
record) gree73.ru - Unknown (possibly
13/02/201 gree73.ru - Unkown as Whois "OOO Climatrade" via 176.99.4.139 - Russia (via globatel.ru)
9 3 Film Festival Yes No No gree73.ru No Yes No yahoo.com 176.99.4.139 record updated on 28/02/2013 naunet.ru) gree73.ru - Unknown No
14/02/201 200.76.23.158 - Yes (no Whois 200.76.23.158 - Mexico (via
10 3 Russian bride No - - - Yes richardhaughton.com 200.76.23.158 record) 200.76.23.158 - Unknown ALESTRA.NET.MX)+L8 Yes
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
193.106.31.178 - Yes (no Whois 193.106.31.178 - Unknown
The executable creates and/or modifies registry record) gree16.ru - Unknown (possibly
193.106.31.178 - Ukraine (via
14/02/201 entries. gree16.ru - Unkown as Whois "OOO Climatrade" via citonline.com.ua)
11 3 Banking Yes No No gree16.ru No Yes No yahoo.com 193.106.31.178 record updated on 28/02/2013 naunet.ru) gree16.ru - Unknown No
91.210.102.108 - UK? (via
uanetworking.com
91.210.102.108 - Yes (no Whois 91.210.102.108 - Unknown via net-art.cz)
14/02/201 record) sanqin55.com - XIN NET sanqin55.com - China (via
12 3 Happy New Year ??? Yes No No sanqin55.com No Yes No bellsouth.net (via yahoo.com) 91.210.102.108 sanqin55.com - No TECHNOLOGY CORPORATION xinnet.com) No
193.0.146.114 - Yes (no Whois 193.0.146.114 - Unkown (no 193.0.146.114 - Russia (via
14/02/201 No subject (blank just a record) Whois record) freestyleisp.net)
13 3 link) Yes No No web.986x.com No No No gmx.at 193.0.146.114 web.986x.com - web.986x.com - web.986x.com - No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer: 193.0.146.34 - Unkown (no
Whois record)
The executable creates and/or modifies registry 193.0.146.34 - Yes (no Whois lenbon.net - HICHINA 193.0.146.34 - Russia (via
15/02/201 No subject (blank just a entries. record) ZHICHENG TECHNOLOGY LTD freestyleisp.net)
14 3 link) Yes No No lenbon.net Yes yahoo.com 193.0.146.34 lenbon.net - No (via China Telecom) lenbon.net - China No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
79.96.180.143 - home.pl
The executable creates and/or modifies registry (home.pl S.A)
79.96.180.143
16/02/201 entries. (v096663.home.net.p 79.96.180.143 - No pistoia.it - Regione Toscana 79.96.180.143 - Poland
15 3 Gibberish Yes No No (non-clickable) pistoia.it No Yes No sbcglobal.net l) pistoia.it - Yes (no Whois record) (regione.toscana.it) pistoia.it - Italy Yes
91.210.100.28 - Yes (no Whois 91.210.100.28 - UK (via
record) 91.210.100.28 - Unkown (via uanetworking.com)
16/02/201 financebar.dk - Yes (no Whois uanetworking.com) financebar.dk - Denmark (via
16 3 Gibberish Yes No No financebar.dk/newsmedia.html No Yes No sbcglobal.net 91.210.100.28 record) financebar.dk - Unknown one.com) No
4. FEBRUARY 2013 – DETAILS – PAGE 3
Sent
from
Sent from compro
Link malformed mised
Maliciou Shortene Malicious Attachme email known Contains my email address in
Date Type s Link r Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
The executable creates and/or modifies registry 41.44.51.188- Yes (no Whois
17/02/201 entries. record) 41.44.51.188 - Unknown 41.44.51.188 - Egypt (via TE Data) No (rediffmail.com listed as
17 3 Dr ? Yes No Yes (basic html) amazonaws.com No Yes No yahoo.com 41.44.51.188 recipient)
46.148.30.189 - Ukraine (via
46.148.30.189 - Yes (no Whois 46.148.30.189 - Unknown citonline.com.ua)
17/02/201 Random text scraped record) gassafetrades.co.uk - UK (via gassafetrades.co.uk - USA (via
18 3 from book? Yes No No gassafetrades.co.uk No Yes No yahoo.com 46.148.30.189 gassafetrades.co.uk - No GoDaddy.com) hostrocket.com) No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
91.210.103.136 - Yes (no Whois 91.210.103.136 - UK (via
The executable creates and/or modifies registry record) 91.210.103.136 - Unknown uanetworking.com)
18/02/201 entries. .saihomecreations.com - Yes .saihomecreations.com - .saihomecreations.com - USA (via
19 3 Blank Yes No No saihomecreations.com No Yes No rocketmail.com (via yahoo.com) 91.210.103.136 (domains by proxy - GoDaddy) Unknown (via GoDaddy) New Dream Network, LLC) No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
193.106.31.55 - Ukraine (via
The executable creates and/or modifies registry 193.106.31.55 - Yes (no Whois 193.106.31.55 - Unknown citonline.com.ua)
19/02/201 entries. record) fldp.info - (personal record in fldp.info - USA (via New Dream
20 3 Gibberish Yes No No fldp.info No Yes No yahoo.com 193.106.31.55 fldp.info - No China) Network, LLC) No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
91.210.102.24 - UK (via
The executable creates and/or modifies registry 91.210.102.24 - Yes (no Whois 91.210.102.24 - Unknown uanetworking.com)
19/02/201 entries. record) lbh-lsm.org (personal record in lbh-lsm.org - Indonesia (via
21 3 Gibberish Yes No No lbh-lsm.org No Yes No rocketmail.com (via yahoo.com) 91.210.102.24 lbh-lsm.org - No Jakarta) jagoanhosting.com) No
91.210.103.17 - UK (via
91.210.103.17 - Yes (no Whois 91.210.103.17 - Unkown uanetworking.com)
21/02/201 record) fingtrack.com - Fingtrack Co.,Ltd. fingtrack.com - Thailand (via
22 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.103.17 fingtrack.com - No (Thailand) loxinfo.co.th ) No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
boscgi1201.eigbox.net - USA (via
The executable creates and/or modifies registry boscgi1201.eigbox.net - Tucows cogentco.com)
22/02/201 entries. boscgi1201.eigbox.ne boscgi1201.eigbox.net - No findmylamp.com - Edson Evers findmylamp.com - Germany (via
23 3 Important message Yes No Yes - basic findmylamp.com No Yes No facebook.com.au t findmylamp.com - No LLP (blueplex.com) oneandone.net) Yes
91.210.102.123 - Unknown 91.210.102.123 - UK (via
91.210.102.123 - Yes (no Whois genese-ressources.com - SARL uanetworking.com)
22/02/201 record) Genèse des Ressources (France genese-ressources.com - France (via
24 3 Blank Yes No No genese-ressources.com No Yes No yahoo.com 91.210.102.123 genese-ressources.com - No via gandi.net) ovh.com) No
5. FEBRUARY 2013 – DETAILS – PAGE 4
Sent
from
Sent from compro
Link malformed mised
Maliciou Shorten Malicious Attachme email known Contains my email address in
Date Type s Link er Link Masking Link Host Link Risks Attachment nt Type header contact Listed Email Host Real Email Host Domain Proxy Service Registration Information Country Hosting Domain (IP) "TO" field
91.210.100.126 - UK (via
91.210.100.126 - Yes (no Whois 91.210.100.126 - Unknown uanetworking.com)
22/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via
25 3 Blank Yes No No fingtrack.com No Yes No yahoo.com (yahoo.co.uk) 91.210.100.126 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No
23/02/201 95.42.50.85 - No 95.42.50.85 - BTC-NET Ltd. 95.42.50.85 - Bulgaria (via btc-net.bg) No (tpg.com.au listed as
26 3 Blank Yes No Yes - basic amazonaws.com No Yes No yahoo.com 95.42.50.85 recipient)
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer: 91.210.101.66 - UK (via
91.210.101.66 - Yes (no Whois uanetworking.com)
The executable creates and/or modifies registry record) flavio-cavaller.com - USA (via New
23/02/201 entries. flavio-cavaller.com - Yes 91.210.101.66 - Unknown Dream Network, LLC -
27 3 Blank Yes No No flavio-cavaller.com No Yes No yahoo.com 91.210.101.66 (proxy.dreamhost.com) flavio-cavaller.com - Unknown dreamhost.com No
91.210.101.56 - UK (via
91.210.101.56 - Yes (no Whois 91.210.101.56 - Unknown uanetworking.com)
23/02/201 record) fingtrack.com - Thailand (via fingtrack.com - Thailand (via
28 3 Blank Yes No No fingtrack.com No Yes No yahoo.com 91.210.101.56 fingtrack.com - No loxinfo.co.th ) loxinfo.co.th ) No
The executable modifies and destructs files which
are not temporary. 91.210.103.108 - UK (via
91.210.103.108 - Unknown uanetworking.com)
Changes security settings of Internet Explorer: firstspaceglobal.com - First firstspaceglobal.com - USA (via New
91.210.103.108 - Yes (no Whois Space Ltd Dream Network, LLC -
The executable creates and/or modifies registry record) (facilitymedia.com) dreamhost.com)
24/02/201 entries. firstspaceglobal.com - No goboint.com - personal record in goboint.com - USA (via
29 3 Gibberish Yes (2) No No firstspaceglobal.com & goboint.com No Yes No gmx.at 91.210.103.108 goboint.com - No China wiredtree.com) No
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
91.210.101.37 - UK (via
The executable creates and/or modifies registry 91.210.101.37 - Yes (no Whois 91.210.101.37 - Unknown uanetworking.com)
25/02/201 entries. record) ascensionparishbangalore.org - ascensionparishbangalore.org - USA
30 3 Gibberish Yes No No ascensionparishbangalore.org No Yes No yahoo.com 91.210.101.37 ascensionparishbangalore.org - No Relay Admedia (Bangalore) (via dimenoc.com) No
26/02/201 121.97.110.43 - BayanTel 121.97.110.43 - Phillipines (via No (rediffmail.com listed as
31 3 Dating website Yes No Yes - basic amazonaws.com No Yes No yahoo.com 121.97.110.43 121.97.110.43 - No Broadband DSL (bayan.com.ph) skyinet.net) recipient)
The executable modifies and destructs files which
are not temporary.
Changes security settings of Internet Explorer:
189.220.127.202 - TV CABLE S.A. 189.220.127.202 - Mexico (via
The executable creates and/or modifies registry 189.220.127.202 - No DE C.V. CABLEONLINE.COM.MX)
28/02/201 Yes - Yes - shortener and a entries. 0102.0346.0263.127 - Yes (no (Mexico) 0102.0346.0263.127 - USA (via
32 3 Ecard Yes bit.ly redirect answeryourquestion.com redirects to 0102.0346.0263.127 No Yes No yahoo.com 189.220.127.202 Whois record) 0102.0346.0263.127 - Unknown oxeo.com) No (yahoo.es listed as recipient)
TOTAL 31/32 2/32 2/32 0 31/32 1 4/32