From: "Microsoft Outlook On Behalf Of Anonymous Caller"
11-16-2013: Updated with newer image and link.
The image is very easy to see how people click on things.
I always like to start off with a bit of sarcasm and technical points directed to the spammer group. This one has a couple of flaws that I'm guessing they will fix but until that time count your blessings because the exploit is real and only the delivery package is flawed.
After the sarcasm you'll find a bit of information on this drive by redirect virus infection attempt via media play exploits.
Have you received your voice mail notice from some Microsoft Exchange Server via Outlook.Voicemail@microsoft.com via Email with the subject line: Subject: Voice Mail from 703-881-1228 (55 seconds) ?
I have to say some of the spam mails I've seen this month are very creative. It seems that the Spamming Community has fired their old marketing group and hired a fresher more creative group.
I always wanted to get a Microsoft Exchange Voice Mail notice and now I have one. Thanks to the spam marketing department the Exploit.Kit almost did it's thing. Now you need to test your exploit because it seems to be broken at the App level on the server.
Part of the header:
From: "Microsoft Outlook On Behalf Of Anonymous Caller" <firstname.lastname@example.org>
To: <me at my email>
Subject: Voice Mail from 703-881-1228 (55 seconds)
Below is the screen shot of the message:
http:// tweetsbazaar.com /5ACeRRyc /index.html
http:// www.luckylu.de / EuaWg3cd / index.html
Which has a short pause redirect page that says "Please wait.."
Then it redirects you to the payload virus website located in the Kayman Islands.
The virus appears to be using media player applet exploits again.
applet/code="unnamedCasea.unnamedCased"/archive="Gam.jar" param name="uid" valu=123 value="N0b0909041f31313729083c2742423c2727373c292b310e3c040b043d2c391c372b1c1c0235391c" applet
The issue they have from what I see is that the applet is not correctly formed so even if you don't have an AV to detect this one most likely it will only display the code rather than run the code.
The URL which you would be directed too for this exploit is:
http:// 173. 255. 221. 74 / tfvsfios6kebvras.php ? r=rs3mwhukafbiamcm
NOTICE: The text document does show what the site attempted to load using the link above. I have not confirmed it as being 100% broken so be careful if you attempt to view this link as anything other than a text file.
I like the method of the drive by virus infection in that it will target more corporate users than home users.
The Microsoft Exchange Server in the footer with the official looking Voice.Mail@yourdomain.com really looks like your IT Department has been thinking about you all weekend and setup a really cool Voice mail forward to Email service just for you.
You should have noticed the characters that are encoded wrong and when you mouse over the N V50-062-NIDS.WAV link you should have seen the URL isn't part of your domain network.
But, if all that fooled you into clicking the link I hope you find the same messed up code as I did. The Redirect drive-by code is a valid virus infection but the application wasn't setup correctly to corrupt IE 9 / 10 with Media Player.
Don't worry, I'm sure the boyz at 188.8.131.52 from Cayman Islands(KY) in region Caribbean and West Indies will have it fixed soon.
Just remember a couple of things.
No one will ever send you a "I Love You" in the subject line that really loves you and Microsoft will NEVER send you a Voice Message from @Microsoft.Com .
Have a great virus free day!
By the way, the exploit is called "Exploit.Kit" that should give you something to start looking for.
It is a Media Player Exploit so you know what program you need to update after you remove the virus.
If you need help feel free to click the Online Support. This virus will be about $25.00 to remove.
You can also download AVG from http://www.avg.com and run their AV software to clean up the mess. They also have remote technical support.
Last line offered by jsunpack.jeek.org Use NoScript, a limited user account and a virtual machine and be safe(r)!
I don't know the jeek.org group and just found them from the unpack line in the code above. In any case, I enjoyed entering a few scripts and reading what others have submitted. As for the last line, I have a few training videos and lessons that can help you follow just what you need to do when surfing the web blindly.
Here's the virus link: (dead link) http:// harfordproperties . com / app . php ? messa ge = K y p 1 F C 8 5 Q m 8 d v Q O m Y k V V C 4 Q s R 2 j k w 3 S Q I I T I 4 U h n + 4 Y =
Now, if you search you might find the cached version but it's up to you if you can handle installing these viruses on your computers.