10 June 2006

email virus cartao.exe Cartao Virtual Sapo

click picture to enlarge

we have been receiving this virus email a lot lately [clarification: the email itself does not contain a virus or any attachment(s) by clicking on the emails phished link(s) you will be taken instead to a malicious website where the virus in the form of file cartao.exe will be installed on your pc]. it always comes (so far) written in spanish as a cleverly crafted ecard. however when we hover our mouse over what the hackers portray to be the link to click to view our ecard (the long blue line) we see down in the lower left corner in the status bar that in reality its a .exe file. actually all three hyper links in that email go to the same .exe file.
so what to do....
in the status bar we see that the url thats hosting the virus (in the form of the .exe file cartao.exe) is called mooncards.no.sapo.pt so we enter that into our trusty 3d trace route and find out who to contact:

====
but not before we went on *sapo.pt and found some contact email addresses.
*sapo.pt is a legitimate website that gives free personal spaces or pages. unfortunately, nefarious individuals [hackers] exploit their and other websites like freewebs.com for example, kindness.
====
From: wesawthat@gmail.com
To: abuse@mail.telepac.pt.info.mail@mail.sapo.pt,info@mail.sapo.pt
Cc: reportphishing@antiphishing.org,spam@uce.gov
Subject: Fw: Amor, Olha o Cartao que eu Fiz para Voce Bjs Te Amo
Date: Sat, 10 Jun 2006 16:29:52 -0500
Organization: www.wesawthat.blogspot.com

TELEPAC.PT/SAPO.PT: this phishing email was sent to trick pc users into installing a .exe file (email computer virus) thats on a website that you host please would you terminate service to:

http://mooncards.no.sapo.pt/cartao.exe


X-Gmail-Received: 3870c37034a0d7bb390a6fdd089830f9b77c6a8e
Delivered-To: wesawthat@gmail.com
Received: by 10.70.50.15 with SMTP id x15cs94148wxx;
Sat, 10 Jun 2006 13:54:10 -0700 (PDT)
Received: by 10.49.65.12 with SMTP id s12mr3523130nfk;
Sat, 10 Jun 2006 13:54:09 -0700 (PDT)
Return-Path:
Received: from dedie.phpnet.org ([87.98.197.119])
by mx.gmail.com with SMTP id l38si2758447nfc.2006.06.10.13.54.09;
Sat, 10 Jun 2006 13:54:09 -0700 (PDT)
Received-SPF: neutral (gmail.com: 87.98.197.119 is neither permitted nor denied by best guess record for domain of cartao@virtualsaopo.dedie.phpnet.org)
Received: (qmail 29762 invoked by uid 1000); 5 Jun 2006 02:24:24 -0000
Date: 5 Jun 2006 02:24:24 -0000
To: wesawthat@gmail.com
Subject: Amor, Olha o Cartao que eu Fiz para Voce Bjs Te Amo
X-Message-Status: s1:0
X-SID-PRA: Cartao Virtual Sapo
X-SID-Result: TempError
Errors-To: cartao@virtualsaopo.dedie.phpnet.org
From: Cartao Virtual Sapo
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-encoding: 8bit
Reply-To: Cartao Virtual Sapo
Message-ID: <7d850280ea5146462a680fcbd7af8375@>
Conversion-With-Loss: Yes
Sensitivity: 3
Expiry-Date: Never
X-Priority: 3
X-MSmail-Priority: High
X-Originating-Email: [Cartao Virtual Sapo]
X-Originating-IP: [200.201.120.121]
X-iGspam-global: Unsure, spamicity=0.748491 - pe=7.48e-01 - pf=0.748491 - pg=0.748491
X-oemPro-CSID: MjgxXzI3NA==
X-oemPro-MsgId: d2VzYXd0aGF0QGdtYWlsLmNvbQ0=

--email body here--

EXTERNAL LINK

Posted by wst... at 16:51

Subscribe to: