Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
We have a special edition of our malware links today.  Two
American-Airlines ticket receipts, and two DHL package tracking links.

With all this airline flying and package ordering, looks like we're
going to have this economy up and running and back on it's feet in no
time.

=====================
So where are we flying according to sample #1?

Date / Time of Departure:  25 MAY, 2013, 10:21 AM
Flight Time: 09:35
Arriving: Aurora
Seat: 73A/ZONE 2
Total Price: 269.69

Aurora - must be Aurora Illinois, airport code AAR.  Not sure if "flight
time" is flight duration.  I see that I have seat 73A - must be a really
long airplane.  Nice price.

Received: from s013-ct-ffm-r01.ec-c.net ([85.190.10.60])
X-Mailer: PHP/5.2.17

Here's the link:

hxxp://www.skdvikova.lt/images/index.php?get_ticket=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366481724 /

File name:   Electronic Ticket No.exe
File type:  Win32 EXE
Detection ratio:  9/46
Analysis date:  2013-04-20 18:15:24 UTC

 Avast        Win32:Crypt-OQO [Trj]
 ByteHero     Trojan.Malware.Obscu.Gen.004
 ESET-NOD32   a variant of Win32/Kryptik.AYMJ
 Fortinet     W32/Dofoil.PHY!tr
 GData        Win32:Crypt-OQO
 Kaspersky    Trojan-Downloader.Win32.Dofoil.png
 Sophos       Mal/Weelsof-D
 VBA32        BScope.Trojan-Dropper.8612
 VIPRE        Trojan.Win32.Kuluoz.b (v)

===========================
So where are we flying, according to sample #2?

28 MAY, 2013, 10:37 PM
09:35
Newport News
$270.70
52F/ZONE 1

Ah - Newport News / Williamsburg International Airport (PHP).  Funny how
I don't see AA flying to that airport.  Must be a code-share.  I'm
seated in row 52 - that's a pretty big plane for such a small airport.

Received: from plesk3.au.syrahost.com ([27.54.90.12])
Subject: Order is processed

Cubs-tickets.com ???

The link:
hxxp://alqayyim.com/images/index.php?get_ticket=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366485945 /

Detection ratio:  11/46
Analysis date:  2013-04-20 19:25:45 UTC

 Avast         Win32:Crypt-OQO [Trj]
 ByteHero      Trojan.Malware.Obscu.Gen.004
 Comodo        TrojWare.Win32.Trojan.Agent.Gen
 ESET-NOD32    a variant of Win32/Kryptik.AYMJ
 Fortinet      W32/Dofoil.PHY!tr
 GData         Win32:Crypt-OQO
 Kaspersky     Trojan-Downloader.Win32.Dofoil.png
 Panda         Suspicious file
 Sophos        Mal/Weelsof-D
 VBA32         BScope.Trojan-Dropper.8612
 VIPRE         Trojan.Win32.Kuluoz.b (v)

=============================

And now for a change of pace.  My DHL package tracking links.  Not sure
what I ordered - let's find out:

Received: from mail.securesolutions.at ([77.244.254.76])
Subject: Shipping Information
X-Mailer: SayMailSMTP

hxxp://www.k-anastasiou-sa.gr/images/index.php?info=_

https://www.virustotal.com/en/file/c32b6600ac2ad6db91f0ff18265bc0979562399015df986fc5788b7cf132be00/analysis/1366486230 /

Detection ratio:    11/46
Analysis date:  2013-04-20 19:30:30 UTC

 Avast          Win32:Crypt-OQO [Trj]
 ByteHero       Trojan.Malware.Obscu.Gen.004
 Comodo         TrojWare.Win32.Trojan.Agent.Gen
 ESET-NOD32     a variant of Win32/Kryptik.AYMJ
 Fortinet       W32/Dofoil.PHY!tr
 GData          Win32:Crypt-OQO
 Kaspersky      Trojan-Downloader.Win32.Dofoil.png
 Panda          Suspicious file
 Sophos         Mal/Weelsof-D
 VBA32          BScope.Trojan-Dropper.8612
 VIPRE          Trojan.Win32.Kuluoz.b (v)

And how about another Fake DSL tracking link while we're at it:

hxxp://www.htsmiddelburg.co.za/images/index.php?info=_

Received: from customer ([199.168.97.202])
X-Mailer: MyPHPMailer

Same A/V hits as above.

Re: Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)


Quoted text here. Click to load it

While your jerking off to virustotal uploads and determining how badly the
entire AV/AM industry sucks as a result of your super scientific
studies... Are you submitting ANY of the samples to various
antivirus/antimalware companies? Most of the ones I know of are happy to
accept new samples from people.

You would be far more productive doing that. You're wasting time posting
these virus total scan results on malware samples you get.
 
Quoted text here. Click to load it

Sadly no. We have too many people with your critical thinking abilities
making the major decisions. We're all fucked.
 


--
... I'm heavily armed, easily upset, and off the medication.


Re: Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)


Quoted text here. Click to load it

Let him post.  It makes him happy.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)


Quoted text here. Click to load it

Mike do you believe Dustin can do the following? I don't! :)

"I can make google take you to any set of posts from anyone I want"


--
Jax    

Re: Today's American-Airlines Ticket Receipt URL(s) (April 20, 2013)

Jax wrote:
 
Quoted text here. Click to load it

Mike?

Who is Mike?

Site Timeline