I just got this piece of crap spam malware/virus injector in my mail. It came directly from a friend's gmail account so obviously he picked up the malware from somebody.
Don't click on it. Notice the spelling error in the word "length". The domain with the link comes from maloureyes.com. That doesn't mean anything, because typically these spammers hack a relatively untended website, inject their crap from there without the owner being the wiser.
Interesting that they would try to play off the Whats App name. Don't be fooled.
Now doesn't this beat all. I got virus-injection spam purporting to be from a funeral home. All that I had to do was click a link. Here is the text of the spam (pictured above):
Eubank Funeral Home info@oceanpromenadehotel.com Eubank Funeral Home & Cremation Services For this unprecedented event, we offer our deepest prayers of condolence and invite to you to be present at the celebration of your friends life service on Sunday, February 9, 2014 that will take place at Eubank Funeral Home at 11:00 a.m. Please find invitation and more detailed information about the farewell ceremony here . Best wishes and prayers, Funeral home receptionist, Jacob Faulkner Copyright 2014 Funeral Home Website Design By: Frazer Consultants LLC
Notice the nice little touched like the copyright and designed by footer. It has the characteristics of regular spam. The mail domain is from one domain. When you hover over the link, it is another domain, and none of the names are the same as who the sender is supposed to be (Eubank Funeral Home in this case).
Speaking of the link, it goes to the domain DanielCespedes.com. It turns out that Daniel Cespedes is a guy who died while escaping police custody in Florida for statutory rape. He linked up with a minor MySpace celebrity called Kiki Kanibal who was a minor and apparently raped her. The domain is parked and under construction, but the spammers hacked the account and put their virus in a hidden page in that domain where the link takes you. Half the spam that comes is from hacked legitimate accounts. If you have dormant accounts, websites, email addresses etc, it helps to change the passwords regularly and make them really hard to guess with a good combo of letters, numbers and characters.
All this to say, never click out of curiosity. Remember, curiosity killed the cat.
This is the absolutely latest in egregious spam. It purports to be from Kids Live Safe.com which apparently alerts you if there is a registered sex offender in your neighborhood. The website itself uses scare tactics and sells email alerts.
However, this spam is from another domain, websaving.com and this is a sure sign of a virus or malware injector. There is embedded script not to display the domain that it takes you to, so you cannot check validity by hovering over it with a cursor.
These are all signs of virus, trojan and malware activity. Delete it and empty your trash and in now way click on it.
The latest form of spam with the intent to put a virus on my machine is the vanity spam. They think that I am vain enough to have my name in a fake who's who. Read it and weep:
JT Richards To Me Nov 22 Hello, As you are more than likely aware, you were recently selected for inclusion in the new 2013 edition of the Who's Who Among Executives and Professionals. Despite our efforts, we have not yet received confirmation of your biographical profile, and are reaching out to you again in an effort to do so. Click here to verify and confirm your profile The tradition of the Who's Who reaches back more than 100 years to a time when the prestigious and accomplished were featured in a yearly publication that defined high society. Today, the Who's Who provides a useful resource where business professionals, academics, and Executives are both recognized for their achievements and provided with an unparalleled networking resource. Using our database, you can make global contacts, discuss current events and happenings with your peers, and establish yourself as either a mentor to aspiring professionals or further your business network. Our goal is to seek out the premier executives and professionals throughout the world. There is absolutely no cost or obligation for your biographical profile. Simply click this link to fill out the appropriate biographical fields. Sincerely, JT Richards Managing Director Who's Who Among Executives and Professionals To change your communication options please click this link or write to: 3635 S. Fort Apache Rd, Suite 200 - 637 Las Vegas, NV 89147
The Virus Domain where the mail comes from is www.dotfluid.com. There is no website. The address that is listed is for a U-Haul truck rental.
Needless to say, that if you get one of these, don't click any of the links.
I have an acquaintance named Dwight who is a nice guy. I met him at a dinner party in Nassau at a mutual friends place. Nassau is a small place and I occasionally ran into him. Dwight was transferred back to Florida. I haven't heard from him in a long while. Thus I was pleased when I saw an email from him in my inbox. However, I was not pleased when I saw that it was a virus generated email going through his contact list sending out links that will infect your machine.
I am sure you have seen these latest viruses. You get an email from one of your trusted contacts that says "Hey look at this". When you click on it, BANG -- you're infected.
Well, its time to fight back. Here is the domain name registration of the sub-human sending out these viruses. It is from Portugal. If there is anyone in Portugal who is an anti-social psychopath who is just itching to lay a beating on someone, go to the town or Porto (yes where port comes from). Find the street Rua Barao de Nova Sintra, and the building number is No. 433. Ring the bell for apartment 3530 and beat the living crap out of the guy, and while you are at it, smash all of the computers and cell phones.
The domain of virus injector is: dunil.pt. Don't click on it.
WHOIS information for dunil.pt:
Nome de dom?nio / Domain Name: dunil.pt
Data de registo / Creation Date (dd/mm/yyyy): 04/12/2000
Data de expira??o / Expiration Date (dd/mm/yyyy): 28/02/2013
Estado / Status: ACTIVE
Titular / Registrant
Dunil - Confeccoes Lda
Rua Barao de Nova Sintra, No. 433
Apartado 3530
4306-901 Porto
Email: dunil@ip.pt
Entidade Gestora / Billing Contact
G9SA - Telecomunicacoes S.A .
Email: geral@g9sa.pt
Respons?vel T?cnico / Tech Contact
Joao Carlos Ramos Perdigoto
Email: perdigot@interacesso.pt
Update: Got another virus mailing from Dwight's machine. This one came from Malaysia. (They shouldn't let half-civilized monkey goons play on the internet). Here are the domain registration details:
I am a firm believer in Avira. I use it on all of my machines for anti-virus. The way that I became a believer was in Nassau, the Bahamas. We need a cheap machine to act as a modem answer gateway. We walked over to the local Radio Shack store and bought the cheapest Pentium-knock-off that they had. It came loaded with all sorts of stuff, like Microsoft Office, Adobe Photoshop and all of the expensive programs.
This being the Caribbean, and the land of the Pirates of the Caribbean, of course it was all cracked stuff, loaded with viruses. I did my best to clean the machine with every available package, including Norton, McAfee and such -- all to no avail. Avira (free personal download) was the only one that did it.
So, today, Avira began its scan, and this showed up in the transcript pad:
Begin scan in 'C:\'
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\33c334d3-7247e552
[0] Archive type: ZIP
--> main.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2012-0507 exploit
Beginning disinfection:
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\33c334d3-7247e552
[DETECTION] Contains recognition pattern of the EXP/CVE-2012-0507 exploit
[NOTE] The file was moved to the quarantine directory under the name '4af8d44b.qua'.
Holy crap, it was a Java virus. Here is more information:
