Hi,
Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat.
The structure is completely equal to ultimatestufff, but changes the End-Point Domain.
Online contacts receives an offline message composed in this way http://_mail_address.awesomezz.com
Let’s dissect it!
From HTTP headers we can see that this domain is runned by a little Webserver
HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/4.4.8
Content-type: text/html
Content-Length: 242
Date: Thu, 21 Aug 2008 15:00:41 GMT
Server: lighttpd/1.4.19
And this is the html code
<html>
<head>
<title></title>
</head>
<frameset rows=”*,30,1″ frameborder=0>
<frame src=”indexx.php” name=””>
<frame src=”abuse.html” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
<frame src=”counter.php” name= frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
</html>
-> counter.php
<img src=”http://www.ipcounter.de/count.php?u=52572355&color=pink” alt=”” border=”0″ width=0 height=0></a></noscript><img src=”http://www.ipcounter.de/count.php?u=54136814&color=pink” alt=”” border=”0″ width=0 height=0></a></noscript>
-> abuse.html
<center><b>Send Abuses to <a href=”mailto:abuse@cpashield.com“>abuse@cpashield.com</a></b>
-> indexx.php
The way is always the same, the user lands to a certain Website by passing from another Website that installs some Tracking Cookies. Indeed as we can see indexx.php points to Incentaclick
http://www.incentaclick.com/nclick.php?id=17133&cid=4804&sub=newadx_ita
that trasparently (a common user will not see that passage) installs some cookie:
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickUC480417133=480417133newadx_ita; expires=Sat, 20-Sep-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=.incentaclick.com
Set-Cookie: IncentaclickTrackCookie4804=17133-newadx_ita; expires=Wed, 19-Nov-2008 07:00:43 GMT; path=/; domain=www.incentaclick.com
Redirection points to
http://www.flycell.it/offer/?ref=2650&transid=17133-newadx_ita
The Pattern is totally similar to Ultimatestufff.com, with the difference that the End-Points seems to be a Website for Cellulars, but probabily user is asked to give MSN Credentials
Here the Domain Analysis:
Registry Data
| ICANN Registrar: | ENOM, INC. |
| Created: | 2008-08-20 |
| Expires: | 2009-08-20 |
| Updated: | 2008-08-20 |
| Registrar Status: | clientTransferProhibited |
| Name Server: | DNS1.REGISTRAR-SERVERS.COM (has 96,391 domains) |
| Name Server: | DNS2.REGISTRAR-SERVERS.COM |
| Name Server: | DNS3.REGISTRAR-SERVERS.COM |
| Whois Server: | whois.enom.com |
jQuery(‘#registryDataContainer’).show();
Server Data
| IP Address: | 210.56.53.73      |
| IP Location |  – Hong Kong (sar) – Hong Kong – Sun Network (hong Kong) Limited |
| Response Code: | 200 |
| Domain Status: | Registered And Active Website |
See you to the next post
I would be interested to know how this happens. Ive just been contacted by a new contact which i made today, i can smell spam a mile away so i havnt visited the link … – as far as i know she is a mac user … is it a local infection on her machine, or does another 3rd party have access to her msn logon details ?
I’ve got it.
Boooooo.
What can I do to fix it?
I’m a mac user with no experience of viruses.
Thank you.
My computer is infected, but i couldn’t dissect it with the instructions given, I don’t even understand from where I should get started! If it is possible , please make the instructions a little bit more analytic. Thanks anyway.
I got the link from my wife today, and she uses a webmessenger, can she removes this thing by just removing all Cookies from her browser?
Hi,
First of all this application does not affect any part of PC, but an external entity have your Credentials.
The User is asked to to give its Credentials (User and Passwords) SO to
FIX it all you have to do is to CHANGE PASSWORDS and CLEAR CACHE :).
Cookies can be removed if you use Mozilla FireFox (and I hope you use It) with an Addon that you can download from Mozilla site that is called Monster Cookies, if you use other search about Cookie Cleaner.
Regards,
Giuseppe ‘Evilcry’ Bonfa’
PS: If someone has other examples of MSN Spreading Domains please report me It and I’ll dissect it!!!
Thanks a lot, once more, I thought that it would be way more difficult :).
now it dont seem to bee only awesomezz.com i also got one today from the same person wit the domain yutubez.com
oh i forgot to mension instead of .yutubez.com it is .yutubez.com
Many thanks for your link, I’ll inspect it as soon as possible! π
If someone has other links please make me know the URL
Regards,
Giuseppe ‘Evilcry’ Bonfa’
Many thanks! π
[…] Another MSN Privacy / Spam Threat awesomezz.com Hi, Thanks to the signalation of Roberta I’ve identified another MSN spreading Spam/Privacy threat. The structure […] […]
i have another one as well from msn that ends in
RealDealzz.com
PassionZz.com
Thank You! π
I don’t know if you’ve got this one yet:
imagshackz.com
There were some others as well, but haven’t written them down.
Thank You!!
please report me all domains that you know π
tnx!
[…] – bookmarked by 2 members originally found by XxMomsCutiexX on 2008-10-19 Another MSN Privacy / Spam Threat awesomezz.com https://evilcodecave.wordpress.com/2008/08/21/another-msn-privacy-spam-threat-awesomezzcom/ – […]
[…] Nice post, I put a link to it from my site for ya. […]
The style of writing is quite familiar . Did you write guest posts for other bloggers?
hehe no I write only in this blog
Hi! I was surfing and found your blog post… nice! I love your blog. π Cheers! Sandra. R.
thanks π