[nSLUG] apache used to generate spam
mspencer at tallships.ca
Thu Apr 16 17:43:15 ADT 2009
> One more test message arrived today. The first one to
> arrive during business hours. Here is the postcat, the same
> as the others, targeting a Brazilian population:
In case you haven't checked, that URL from your captured spam fetches
a UPX-packed W32 executable, cheque-devolvido.exe
53248 bytes packed MD5sum bdb72a15507219132213a886c7ce3c23
141824 bytes unpacked MD5sum 854b66fafeec09c43bab3acfa299a0e0
I have no idea if this is active malware or something else.
"strings cheque-devolvido.exe" (on the upx-unpacked version) doesn't
produce anything that stands out (to my eye, anyhow) except
Google for "crazy_loader" produces one hit:
Which in turn contains a reference to 184.108.40.206, embedded
SWF and other odds from which I can deduce not very much other than a
Brazilian connection (which you already knew anyhow) and possible
connection to habbo.com VR/gaming system.
Michael Spencer Nova Scotia, Canada .~.
mspencer at tallships.ca /( )\
More information about the nSLUG