just saw this one in email. terra.com/ spamcop.com./br are hosting trojans.
but this email uses flash to load this:
<param name=movie value="http://www.terra.com.br/cartoes/datas/amor.swf";>
(which redirects to http://cartoes.terra.com.br/datas/amor.swf )
than trys to load a binary:
ref="http://www.spamcom.com.br/CartadeAmor.exe";
both files still exist on the hosts, and neither was identified by
clamav, and neither triggered any ET (snort) rules, SA didn't trigger
any rules except these:
HTML_EMBEDS=0.056, HTML_EXTRA_CLOSE=2.809,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.957,
(and my private rule, looking for a uri ending in .exe)
email that tries to get you to load these here:
http://pastebin.com/m2fcbe7b5
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2009 Hot Company Award Finalist, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
