C.I.S.R.T.
Chinese Internet Security Response Team (GMT +0800)

Spams about Britney Spears

Large | Medium | Small
[Post on : April 6, 2007 18:07 | Category : Virus | by : smallmo] Reship : Original
Since Apr.2, we have received lots of spams about Britney Spears. The mail is written in HTML. In the mail body, there is a sexy photo about Britney Spears, and when users click this photo, it will visit some sites that are hosting ANI exploit code. A variant of Virus.Win32.Grum will be downloaded and executed.

These spams are as the following:
From: Free@Britiney.com
         Nude BritineySpeers.com
Subject: Hot pictures of Britiney Speers
Body: (sexy photo about Britney Spears)


From: Admin@Britney.com
Subject: Britney spears naked pussy & paris hilton
Body: (sexy photo about Britney Spears)


From: Sexy@BritneySpears.com
         XXX@BritneySpears.com
Subject: Britney spears naked pussy & paris hilton
Body: (sexy photo about Britney Spears)


All the malicious urls we received now:
http://www.bestboobsite.com/index<removed>.html
http://tecnicaenlaboratorios.com/1.jpg
http://www.sharfa.com/index<removed>.html
http://casa-del-mar.co.uk/1.jpg
http://www.99express.com/index<removed>.html
http://free-reality-porn-sites.com/1.jpg
http://extranastyinc.com/index<removed>.html
http://www.bestboobsite.com/1.jpg
http://califinest1.com/index<removed>.html
http://www.sharfa.com/1.jpg
http://againnyc.com/index<removed>.html

http://olidebotton.com/index<removed>.html
http://mandolinborzoi.com/index<removed>.html
http://mandolinborzoi.com/a.jpg
http://mandlvideo.com/index<removed>.html
http://mandlvideo.com/a.jpg
http://olmlancers.com/index<removed>.html
http://olsen6.com/a.jpg
http://mandolinborzoi.com/index<removed>.html
http://mandolinborzoi.com/a.jpg
http://olidebotton.com/a.jpg
http://maiwagner.com/images/index<removed>.html
http://makeitbreathe.com/images/a.jpg
http://magicmorgan.com/images/index<removed>.html
http://make10.com/images/a.jpg

http://takecdplete.cd/index<removed>.html
http://optyfs.hk/a.jpg(http://ferrectl.net//a.jpg)
http://ballwise.hk/index<removed>.html
http://pleasantgo.hk/a.jpg(http://struebit.com//a.jpg)
http://ibuysteinways.com/images/index<removed>.html
http://majtreya.info/images/a.jpg
http://broadrockets.cd/index<removed>.html
http://goballoons.cd/a.jpg(http://struebit.com//a.jpg)
http://jaxpedia.hk/index<removed>.html
http://bestlike.hk/a.jpg(http://courtlin.net//a.jpg)
http://clickthings.hk/index<removed>.html
http://searhgo.hk/a.jpg(http://gaplaer.net//a.jpg)
http://photopoint.cd/index<removed>.html
http://gemba.hk/a.jpg(http://jironsal.net//a.jpg)


All the above urls redirect to the same domain:
http://ibm-ssl.com


Some of them have been closed now, others are still active. We suggest all the users should block these domains.

The sample is 36,864 bytes, Kaspersky detects it as Trojan-Proxy.Win32.Small.du.
MD5: b017cae51e4498c309690b8936f2fa79
SHA1: 6932512cf92b57479bab23b98fe6e7e0c194ce9d


Test it on Virustotal:

Open in new window

Websense has given a detailed analyzing report about this virus: Analysis of Malware Spread via SPAM and ANI vulnerability

Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=64da86640794



Last modified by smallmo onApril 6, 2007 18:10
Tags: , ,
Comments(1) | Trackbacks(0) | Reads(5581)
Betry Says : Email
April 26, 2009 00:27
My PC is running like new.
I was having trouble with my new computer running slow after I had only had it for a few months. I was upset thinking it was something wrong with my computer until I realized that I needed a good scan to clean out those bugs and viruses that was the real problem. When I started using Search-and-destroy Antispyware it took care of this problem and now my PC is running like new again. The antispyware solution from Search-and-destroy, which you can find at http://www.Search-and-destroy.com, has made a big difference for me and I’m sure you’ll be happy with it too.
Pages: 1/1 First page 1 Final page