Sunday, 12 October 2008
Web Hosting - Computers - Software
Home arrow News arrow Spam arrow Be Careful - Spam E-mail Promoting Newyearwithlove.com Takes You Virus Website

Bookmark this page or
send it to a friend!
SEO Services
Videos
Internet Video
Main Menu
Home
Contact Us
Services
Web Hosting
Web Hosting Billing
SEO Services
Webmaster Resources
Webmaster Tips - Tools
Links
News
Internet News


Online Store
Computer Book Store
Adobe Software
Apache Server Books
Final Cut Pro Books
Final Cut Pro Software
Flash Books
Flash Software
HTML Books
Linux Books
Macromedia Software
Photoshop Books
Photoshop Software
PHP Books
Premiere Books
Premiere Software
Windows XP OS Software
Windows Vista OS Software
Apple Mac Desktop Computers
MacBook Air
Apple Mac Notebooks Laptops
Apple Mac Monitors
Apple iPods
Icuiti DV920 Video Eyewear
Google AdSense Books
Domain Name Books
e-Commerce Books
Be Careful - Spam E-mail Promoting Newyearwithlove.com Takes You Virus Website Print

Summary

The following domains are spam distributed sites which will infect your computer with virus or trojan payloads.

Do not visit them - they will harm your computer!

  • newyearwithlove.com
  • newyearcards2008.com
  • familypostcards2008.com
  • happysantacards.com
  • parentscards.com
  • santapcards.com
  • postcards-2008.com

For additional details read on below.

Well the sleaze who produce and distribute spam and viruses are at it again.

An e-mail was received recently (December 2007) with the following text:

Return-path:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: spammed@ spammeddomain.com
Subject: Message for New 2008 Year
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

A New Year song

http://newyearwithlove.com/

Do not visit newyearwithlove.com ! Our research indicates that the website is a vector for the distribution of virus and trojan payloads.

If you get any e-mails promoting anything suspicious at this time of year (subjects like "Message for New 2008 Year"), or during any holiday, especially e-cards, screen savers, and other rich media, assume the worse, don't open the e-mail in the first place, if you open it, don't visit the links.

Update 1

We have now also detected similar spam messages with links to:
newyearcards2008.com (do not visit!)

Update 2

We have now also detected similar spam messages with this subject and link in body:
Subject: New Year 2008 wishes for you

Happy New Year To SPAMMEDADDRESS!

http://familypostcards2008.com/ (do not visit!)

Update 3

We have now also detected similar spam messages with this subject and link in body:
Subject: Happy 2008!

A brand New 2008 Year

http://happysantacards.com/ (do not visit!)

Another subject used in spams for this domain is: Let's fete a sparkling New Year!

Update 4

Also detected spam messages with this subject and link in body:
Subject: Sparkling wishes on the New Year 2008

New 2008 Year wishes for you

http://parentscards.com/ (do not visit!)

Update 5

(Sigh) Detected spam messages with this subject and link in body:
Subject: A new beginning in the New Year

A New Year song

http://santapcards.com/ (do not visit!)

These scum sure want you to have a terrible new year.

Update 6

Detected spam messages with this subject and link in body:
Subject: Happy 2008 To You!

A New 2008 Year song

postcards-2008.com (do not visit!)

Files these sites will attempt to download to your computer include:
happy-2008.exe
fck2008.exe
fck2009.exe

Do not, under any circumstances, download these files.

One of our sources is Site Advisor (a new window will open; We are not affiliated with Site Advisor in any way).

It is a pity that people act this way and have undermined the e-card business such that none can be trusted any more.

Other folks doing good work uncovering this activity:

http://matchent.com/wpress/?p=247
http://isc.sans.org/diary.html?storyid=3784

familypostcards2008.com data:

Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS.FAMILYPOSTCARDS2008.COM
Name Server: NS10.FAMILYPOSTCARDS2008.COM
Name Server: NS11.FAMILYPOSTCARDS2008.COM
Name Server: NS12.FAMILYPOSTCARDS2008.COM
Name Server: NS13.FAMILYPOSTCARDS2008.COM
Name Server: NS2.FAMILYPOSTCARDS2008.COM
Name Server: NS3.FAMILYPOSTCARDS2008.COM
Name Server: NS4.FAMILYPOSTCARDS2008.COM
Name Server: NS5.FAMILYPOSTCARDS2008.COM
Name Server: NS6.FAMILYPOSTCARDS2008.COM
Name Server: NS7.FAMILYPOSTCARDS2008.COM
Name Server: NS8.FAMILYPOSTCARDS2008.COM
Name Server: NS9.FAMILYPOSTCARDS2008.COM
Status: clientTransferProhibited
Updated Date: 29-dec-2007
Creation Date: 29-dec-2007
Expiration Date: 29-dec-2008

Notice the creation date was just 29 December 2007 and the domain is registered in Russia and claims 13 name servers. Others have said this site and the others are hosted on a so-called bot net (network of compromised personal computers (those infected/taken over by virus, trojan or root kit).

newyearwithlove.com data:

Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS.NEWYEARWITHLOVE.COM
Name Server: NS10.NEWYEARWITHLOVE.COM
Name Server: NS11.NEWYEARWITHLOVE.COM
Name Server: NS12.NEWYEARWITHLOVE.COM
Name Server: NS13.NEWYEARWITHLOVE.COM
Name Server: NS2.NEWYEARWITHLOVE.COM
Name Server: NS3.NEWYEARWITHLOVE.COM
Name Server: NS4.NEWYEARWITHLOVE.COM
Name Server: NS5.NEWYEARWITHLOVE.COM
Name Server: NS6.NEWYEARWITHLOVE.COM
Name Server: NS7.NEWYEARWITHLOVE.COM
Name Server: NS8.NEWYEARWITHLOVE.COM
Name Server: NS9.NEWYEARWITHLOVE.COM
Status: clientTransferProhibited
Updated Date: 26-dec-2007
Creation Date: 26-dec-2007
Expiration Date: 26-dec-2008

These facts are just about the same but show a creation date on 26 December 2007.

As of Update 2 these domains resolve as follows:
Host name: familypostcards2008.com
206.255.33.22 is from United States(US) in region North America
whois query for 206.255.33.22...
OrgName: Cablelynx

Host name: newyearwithlove.com
68.48.162.101 is from United States(US) in region North America
whois query for 68.48.162.101...
Comcast Cable Communications, Inc. JUMPSTART-1

happysantacards.com data:

Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU
Whois Server: whois.nic.ru
Referral URL: http://www.nic.ru
Name Server: NS.HAPPYSANTACARDS.COM
Name Server: NS10.HAPPYSANTACARDS.COM
Name Server: NS11.HAPPYSANTACARDS.COM
Name Server: NS12.HAPPYSANTACARDS.COM
Name Server: NS13.HAPPYSANTACARDS.COM
Name Server: NS2.HAPPYSANTACARDS.COM
Name Server: NS3.HAPPYSANTACARDS.COM
Name Server: NS4.HAPPYSANTACARDS.COM
Name Server: NS5.HAPPYSANTACARDS.COM
Name Server: NS6.HAPPYSANTACARDS.COM
Name Server: NS7.HAPPYSANTACARDS.COM
Name Server: NS8.HAPPYSANTACARDS.COM
Name Server: NS9.HAPPYSANTACARDS.COM
Status: clientTransferProhibited
Updated Date: 29-dec-2007
Creation Date: 29-dec-2007
Expiration Date: 29-dec-2008

DNS servers for happysantacards.com

ns4.happysantacards.com [75.58.59.255]
ns12.happysantacards.com [89.110.11.152]
ns11.happysantacards.com [65.65.62.25]
ns10.happysantacards.com [195.128.243.66]
ns2.happysantacards.com [75.22.26.158]
ns9.happysantacards.com [80.93.182.21]
ns8.happysantacards.com [89.77.164.42]
ns7.happysantacards.com [216.86.124.41]
ns.happysantacards.com [68.92.52.231]
ns6.happysantacards.com [24.2.144.171]
ns5.happysantacards.com [71.58.103.185]
ns13.happysantacards.com [69.212.40.126]

Same gang. Registrar is same as before and name server set-up is identical. Creation date is fresh as can be.

As of update 3 here is where the happysantacards.com domain resolves: 

IP address: 210.211.220.144
Host name: happysantacards.com
210.211.220.144 is from India(IN) in region Asia
and here is who that IP belongs to: 
Results returned from whois.apnic.net:

inetnum:      210.211.128.0 - 210.211.255.255
netname:      VSNL-IN
descr:        Videsh Sanchar Nigam Ltd - India.
descr:        Videsh Sanchar Bhawan, M.G. Road
descr:        Fort, Bombay 400001
country:      IN
admin-c:      IA15-AP
tech-c:       VT43-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-VSNL-AP
mnt-routes:   MAINT-VSNL-AP
changed:      hm-changed @ apnic.net 20040218
status:       ALLOCATED PORTABLE
changed:      hm-changed @ apnic.net 20040930
source:       APNIC

person:       IP Administrator
nic-hdl:      IA15-AP
e-mail:       ip.admin @ vsnl.co.in
address:      6th Floor, LVSB, VSNL
address:      Kashinath Dhuru marg, Prabhadevi
address:      Dadar(W), Mumbai 400028
address:      India
phone:        +91-22-56633503
fax-no:       +91-22-24320132
country:      IN
mnt-by:       MAINT-VSNL-AP
changed:      hm-changed @ apnic.net 20070223
source:       APNIC

parentscards.com data:

IP address: 99.129.206.145
Host name: parentscards.com
99.129.206.145 is from United States(US) 
in region North America (Surprise!)

Registrar: 
ANO REGIONAL NETWORK INFORMATION CENTER DBA RU (Again!)
   Whois Server: whois.nic.ru
   Referral URL: http://www.nic.ru
   Name Server: NS.PARENTSCARDS.COM
   Name Server: NS10.PARENTSCARDS.COM
   Name Server: NS11.PARENTSCARDS.COM
   Name Server: NS12.PARENTSCARDS.COM
   Name Server: NS13.PARENTSCARDS.COM
   Name Server: NS2.PARENTSCARDS.COM
   Name Server: NS3.PARENTSCARDS.COM
   Name Server: NS4.PARENTSCARDS.COM
   Name Server: NS5.PARENTSCARDS.COM
   Name Server: NS6.PARENTSCARDS.COM
   Name Server: NS7.PARENTSCARDS.COM
   Name Server: NS8.PARENTSCARDS.COM
   Name Server: NS9.PARENTSCARDS.COM
   Status: clientTransferProhibited
   Updated Date: 29-dec-2007
   Creation Date: 29-dec-2007 (Fresh!)
   Expiration Date: 29-dec-2008

Domain name: PARENTSCARDS.COM
Name Server: ns.parentscards.com 98.200.192.61
Name Server: ns10.parentscards.com 75.208.183.75
Name Server: ns11.parentscards.com 86.63.68.182
Name Server: ns12.parentscards.com 78.60.109.29
Name Server: ns13.parentscards.com 78.60.109.29
Name Server: ns2.parentscards.com 75.58.154.72
Name Server: ns3.parentscards.com 74.138.11.91
Name Server: ns4.parentscards.com 24.167.247.141
Name Server: ns5.parentscards.com 82.45.196.101
Name Server: ns6.parentscards.com 84.27.40.109
Name Server: ns7.parentscards.com 217.121.5.145
Name Server: ns8.parentscards.com 82.131.56.154
Name Server: ns9.parentscards.com 89.132.96.240
Creation Date: 2007.12.29
Updated Date: 2007.12.29
Expiration Date: 2008.12.29

Status:                  DELEGATED

Registrant ID:           X05O1TC-RU
Registrant Name:         Larry Claus (No doubt bogus)
Registrant Organization: Larry Claus
Registrant Street1:      1874 str., office 923
Registrant City:         Los-Angeles
Registrant State:        CA
Registrant Postal Code:  320784
Registrant Country:      US

Administrative, Technical Contact
Contact ID:              X05O1TC-RU
Contact Name:            Larry Claus
Contact Organization:    Larry Claus
Contact Street1:         1874 str., office 923
Contact City:            Los-Angeles
Contact State:           CA
Contact Postal Code:     320784
Contact Country:         US
Contact Phone:           +1 320 5216723
Contact E-mail:          larryknower931@yahoo.com

whois query for 99.129.206.145...
AT&T Internet Services 
SBCIS-SBIS-6BLK (NET-99-128-0-0-1) 
99.128.0.0 - 99.167.255.255
PPPoX Pool - rback2.peoril-1193726162 
SBC-99-129-204-0-22-0710303610 (NET-99-129-204-0-1) 
99.129.204.0 - 99.129.207.255

No doubt that the IP 99.129.206.145 at SBC/ATT is someone's infected PC and will be whacked soon enough. So expect that to change quickly. The key once again is that this is clearly the same gang. They don't even make much of an effort to break the pattern of domain names, registration, DNS or anything else.

Did you find this helpful? If so, please help us in return and Digg it! (a new window will open)

Our shop's Anti Virus Software.



Please Help Us By Tagging This Post!
Reddit!Del.icio.us!Facebook!Slashdot!Technorati!StumbleUpon!Furl!
 
< Prev
[ Back ]
© 2008 Aeronautic.net All Rights Reserved.
Sitemap
Joomla! is Free Software released under the GNU/GPL License.

Top!