Nasty Payload

[dra007]

can someone verify if there is a nasty payload with this spam?

It appears as IE7 beta graphics and starts downloading when you click on it.

Thanks in advance,

Dr A

tracking url:

http://www.spamcop.net/sc?id=z1265449081zf...c2f0693bdd08fdz

[rconner]

can someone verify if there is a nasty payload with this spam?

Thought I'd have a look (if it is evil, it wouldn't hurt my Mac), but the link has gone 404. My guess is that it was evil.

-- rick

[Farelf]

LinkScanner seems to find nothing wrong with it (which is not conclusive of course). SiteAdvisor says the front page/page referenced by the domain name is clear, you are invited to submit any "downloads" for testing there. I guess you Googled? I haven't.

[Farelf]

Thought I'd have a look (if it is evil, it wouldn't hurt my Mac), but the link has gone 404. My guess is that it was evil.

<Chortle> We've not seen you over in Hello, I'm a Mac Ric.

A few hours later, as said, LinkScanner seemed to make the connection okay. The SiteAdvisor page is (no doubt) reading a cache and just the top level "page" but LS is live (second chance, right now).

[Wazoo]

Using safe/secure tools to browse the 'front' page, there is nothing there to spark an issue. It is an "adult" site, based on words buried in the HTML ... worst case, something like a hack from a competior, dropping this 'special' file on that web page, then sending out the spew to 'advertise' it .... the 'outage' was while the web-site owner was 'fixing it' ...????

Looking at the total garbage in your spam e-mail, can't help but wonder just why anyone would follow the link in the first place ...????

[dra007]

Wazoo, I did not see that crap till after parsing. All you see in IE is a graphic saying Internet explorer version seven beta. And the sender looks like Microsoft. Clicking on it actually downloads two programs, both very small. One is called microsoft IE with an .exe extention. They were not recognized as viruses or malware by any of my programs. I am still worried. I got two of these one came through a russian ISP, and this one through a Dutch. That is what raised the flags. I suspect you have to trigger the *.exe file to get the real surprize and that itself could be some kind of re-direct.

[rconner]

<Chortle> We've not seen you over in Hello, I'm a Mac Ric.

I know a Holy War when I see it. I've owned Macs since 1985, and they work well for me. They work even better now that they use OS X (which is BSD at heart, inherently very secure).

Everyone else can use whatever they like so far as I'm concerned (although I'd prefer they kept these machines out of the botnets).

LinkScanner seems to find nothing wrong with it (which is not conclusive of course). SiteAdvisor says the front page/page referenced by the domain name is clear, you are invited to submit any "downloads" for testing there. I guess you Googled? I haven't.

I recall that some of the porn spammers used to distribute their porn dialers in this form (as EXE files downloaded directly via HTTP URL), although the site that used to provide all these customized dialers seems to have gone toes-up last I knew about it.

-- rick

[Farelf]

Well, seems there might be some cause for concern: Beware fake IE 7 downloads - "There is spam out there that tries to get you to download IE 7. It's fake, of course. When you click on the image, you are then offered to download a trojan (Sunbelt Sandbox analysis here, VirusTotal results here). Antivirus coverage is mediocre."

[link noted from the posting of the ever-vigilant john s. smith in news.grc.com group .spyware]