This fake HP email has a ZIP attachment, containing an HTML file that leads to malware. The ZIP format is presumably being used to get past virus scanners.
Subject: Re: Scan from a Hewlett-Packard ScanJet 20382282
Attached document was scanned and sent
to you using a Hewlett-Packard NetJet 280904SL.SENT BY : ETSUKO
PAGES : 9
FILETYPE: .HTM [Internet Explorer File]
(See attached file: HP_Jet_27_P683.zip)
The HTML file leads to malware at superproomgh.ru:8080/navigator/jueoaritjuir.php (report here) which is multihomed on the following IPs:
41.168.5.140 (Neotel Pty, South Africa)
61.187.191.16 (ChinaNet Hunan, China)
62.85.27.129 (Microlink, Latvia)
78.83.233.242 (Spectrum Net JSC, Bulgaria)
125.19.103.198 (Bharti Infotel Ltd, India)
202.143.147.35 (Ministry of Education, Thailand)
202.149.85.37 (Satata Neka Tama, Indonesia)
210.56.23.100 (Commission For Science And Technology, Pakistan)
210.56.24.226 (Commission For Science And Technology, Pakistan)
210.109.108.210 (Sejong Telecom, Korea)
211.44.250.173 (SK Broadband Co Ltd, Korea)
219.94.194.138 (Sakura Internet, Japan)
Plain list for copy-and-pasting:
41.168.5.140
61.187.191.16
62.85.27.129
78.83.233.242
125.19.103.198
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138
Leave a reply
