[WSIS CS-Plenary] Trojan on our list!!

Carlos Afonso ca at rits.org.br
Fri Feb 11 11:17:29 GMT 2005


People, it seems our list is open to automatic registration, which 
allows for spamming bots to penetrate it.

This phishing originates from a USA ISP named Interland 
(abuse at interland.com), but is linked to a gang in Brazil, as the site 
containing the trojan is www.guiasaiadatoca.com.br (its Brazilian ISP 
has already blocked access to the site).

For the ones interested, full identification details as available on 
whois servers are in the attached text file.

I am notifying the USA ISP, with no hope to get a response, as usual. 
Also notifying the Brazilian Internet security group (www.nbso.nic.br), 
who do act.

Oh, yes, and please use GNU/Linux to avoid bad consequences of these 
attacks :)

fraternal rgds

--c.a.

Rui Correia wrote:

> Dear All
>
> Posting from rafa_2004 at terra.com.br <mailto:rafa_2004 at terra.com.br> 
> that appeared on this list with subject “lembra de mim?” is spam, 
> urging users to click on the link to view his (Rafael Dante’s) photo. 
> From a google search, I found out that the link takes you to a page 
> where a trigger downloads PSW.Banker.11.0, which is a Trojan that 
> captures bank account numbers and passwords. The google search turned 
> up 19 different versions of Rafael supposedly wanting to organise a 
> reunion with his old friends, hence the photo, ‘so you can be sure it 
> is the right person’!!!.
>
> O poste de rafa_2004 at terra.com.br <mailto:rafa_2004 at terra.com.br> que 
> circulou nests lista com o subject “lembra de mim?” eh spam, 
> encorajando listeiros a accionarem o link para ver a foto dele (do 
> Rafael Dante). Depois de uma busca no google, descobri que quem 
> accionar o link vai ser levado para uma página que propõe o download 
> do PSW.Banker.11.O, um trojan que captura números e senhas de contas 
> bancárias e os envia para o autor do programa malicioso. No google 
> aparecem 19 versoes deste truque, pedindo que vejam a foto ‘para 
> poderem saber se eh a pessoa certa’!!!
>
> Rui
>
> ________________________________________________
>
>
> Rui Correia
> Advocacy, Media and Language Consultant
> 36 Finch St,
> Ontdekkers Park, Roodepoort,
> Johannesburg, South Africa
> Tel/ Fax (+27-11) 766-4336
> Cell (+27) (0) 83-368-1214
>
> -----Original Message-----
> *From:* plenary-admin at wsis-cs.org [mailto:plenary-admin at wsis-cs.org] 
> *On Behalf Of *rafa_2004 at terra.com.br
> *Sent:* 11 February 2005 06:29
> *To:* plenary at wsis-cs.org
> *Subject:* [WSIS CS-Plenary] lembra de mim?
> *Importance:* High
>
> Ola, tudo bem?
>
> Meu nome é Rafael, e sem querer achei o seu email, meu amigo me disse 
> que esse era o seu email, não tenho certeza se é voce mesmo que 
> estudou comigo no colégio e gostaria de fazer uma festa de reencontro 
> do pessoal todo, seria legal reencontrar a turma toda, alguns morreram 
> infelizmente, mas eu estou tentando entrar em contato com o maior 
> numero de amigos possiveis daquela época, e estou te convidando para 
> ir a esta festa, gostaria muito de reencontra-lo.
>
> Para não haver engano eu tenho uma foto minha, se me reeconhecer por 
> favor entre em contato, estou um pouco diferente do que aquela época, 
> mais acho que da para se lembrar de mim.
>
> Minha foto --> http://www.fee.unicamp.br/docentes/fotos/rafael.jpg 
> <http://www.guiasaiadatoca.com.br/images/rafael.scr>
>
> Se não for voce realmente, por favor desconsidere este email, e 
> desculpe pelo incomodo.
>
> Atenciosamente Rafael Dante.
>
> _______________________________________________ Plenary mailing list 
> Plenary at wsis-cs.org 
> http://mailman.greennet.org.uk/mailman/listinfo/plenary 


-- 
++++++++++++++++++++++++++++++++++++++++++++++++
Carlos Afonso
diretor de planejamento
Rede de Informações para o Terceiro Setor - Rits
Rua Guilhermina Guinle, 272, 6º andar - Botafogo
Rio de Janeiro RJ - Brasil         CEP 22270-060
tel +55-21-2527-5494        fax +55-21-2527-5460
ca at rits.org.br            http://www.rits.org.br
++++++++++++++++++++++++++++++++++++++++++++++++



-------------- next part --------------
1. Full source of the message as received by a Rits mailserver:
===============================================================

>From - Fri Feb 11 08:28:00 2005
X-Account-Key: account1
X-UIDL: MD50000186498:MSG:5652:29691890:3069820560
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <plenary-admin at wsis-cs.org>
Received: from seven.gn.apc.org (greennet2.poptel.org.uk [213.55.2.207])
	by rits.org.br (rits.org.br [200.198.184.110])
	(MDaemon.PRO.v7.1.1.R)
	with ESMTP id md50000050134.msg
	for <ca at rits.org.br>; Fri, 11 Feb 2005 02:32:34 -0200
X-MDSPF-Result: (none)
Received-SPF: none (rits.org.br: plenary-admin at wsis-cs.org does not
	designate permitted sender hosts)
	x-spf-client=MDaemon.PRO.v7.1.1.R
	receiver=rits.org.br
	client-ip=213.55.2.207
	envelope-from=<plenary-admin at wsis-cs.org>
	helo=seven.gn.apc.org
Received: from seven.gn.apc.org (localhost.localdomain [127.0.0.1])
	by seven.gn.apc.org (Postfix) with ESMTP
	id A6A333CA2; Fri, 11 Feb 2005 05:16:31 +0000 (GMT)
Delivered-To: plenary at mailman.greennet.org.uk
Received: from mail.gn.apc.org (greennet1.poptel.org.uk [213.55.2.205])
	by seven.gn.apc.org (Postfix) with ESMTP id 6F3293BA3
	for <plenary at mailman.greennet.org.uk>; Fri, 11 Feb 2005 04:58:22 +0000 (GMT)
Received: from localhost (unknown [192.168.0.2])
	by mail.gn.apc.org (Postfix) with ESMTP id E917314B778
	for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:22 +0000 (GMT)
Received: from ns3.webpor.net (unknown [216.150.18.18])
	by mail.gn.apc.org (Postfix) with ESMTP id CA38714B6A5
	for <plenary at wsis-cs.org>; Fri, 11 Feb 2005 04:08:21 +0000 (GMT)
Received: (qmail 30246 invoked by uid 48); 11 Feb 2005 01:38:34 -0000
Message-ID: <20050211013834.30245.qmail at ns3.webpor.net>
To: plenary at wsis-cs.org
From: rafa_2004 at terra.com.br
content-type: text/html
X-priority: 1
Received: from inter.net
Received: from dot.net
X-Virus-Scanned: by amavisd-new at gn.apc.org
Subject: [WSIS CS-Plenary] lembra de mim?
Sender: plenary-admin at wsis-cs.org
Errors-To: plenary-admin at wsis-cs.org
X-BeenThere: plenary at wsis-cs.org
X-Mailman-Version: 2.0.6
Precedence: bulk
Reply-To: plenary at wsis-cs.org
List-Help: <mailto:plenary-request at wsis-cs.org?subject=help>
List-Post: <mailto:plenary at wsis-cs.org>
List-Subscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
	<mailto:plenary-request at wsis-cs.org?subject=subscribe>
List-Id: Virtual WSIS CS Plenary Group Space <plenary.wsis-cs.org>
List-Unsubscribe: <http://mailman.greennet.org.uk/mailman/listinfo/plenary>,
	<mailto:plenary-request at wsis-cs.org?subject=unsubscribe>
List-Archive: <http://mailman.greennet.org.uk/public/plenary/>
Date: 11 Feb 2005 01:38:34 -0000
X-Lookup-Warning: MAIL lookup on plenary-admin at wsis-cs.org does not match 213.55.2.207
X-MDRcpt-To: ca at rits.org.br
X-Rcpt-To: ca at rits.org.br
X-MDRemoteIP: 213.55.2.207
X-Return-Path: plenary-admin at wsis-cs.org
X-MDaemon-Deliver-To: ca at rits.org.br
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11)
X-Spam-Report: 
	*  0.2 NO_REAL_NAME From: does not include a real name
	*  1.3 X_PRIORITY_HIGH Sent with 'X-Priority' set to high
	*  1.0 FROM_ENDS_IN_NUMS From: ends in numbers
	*  0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
	*  0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
	*  0.1 HTML_MESSAGE BODY: HTML included in message
	* -4.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
	*      [score: 0.0000]
	*  0.6 MIME_HTML_NO_CHARSET RAW: Message text in HTML without charset
	*  1.2 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
	*  2.2 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME headers
	*  0.7 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
X-Spam-Status: No, hits=3.7 required=5.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
	HTML_FONTCOLOR_RED,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,
	MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MSGID_FROM_MTA_HEADER,
	NO_REAL_NAME,PRIORITY_NO_NAME,X_PRIORITY_HIGH autolearn=no 
	version=2.63
X-Spam-Level: ***
X-Spam-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200
X-MDAV-Processed: rits.org.br, Fri, 11 Feb 2005 02:32:35 -0200

<HTML>

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<TITLE>rafa_2004 at terra.com.br</TITLE>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff>
<DIV>&nbsp;</DIV>
<P><FONT face=Tahoma size=2>Ola, tudo bem?</FONT></P>
<P><FONT face=Tahoma size=2>Meu nome é Rafael, e sem querer achei o seu email, 
meu amigo me disse que esse era o seu email, não tenho certeza se é voce mesmo 
que estudou comigo no colégio e gostaria de fazer uma festa de reencontro do 
pessoal todo, seria legal reencontrar a turma toda, alguns morreram 
infelizmente, mas eu estou tentando entrar em contato com o maior numero de 
amigos possiveis daquela época, e estou te convidando para ir a esta festa, 
gostaria muito de reencontra-lo.</FONT></P>

<P><FONT face=Tahoma size=2>Para não haver engano eu tenho uma foto minha, se me 
reeconhecer por favor entre em contato, estou um pouco diferente do que aquela 
época, mais acho que da para se lembrar de mim.</FONT></P>
<P><FONT face=Tahoma size=2>Minha foto --&gt; <font color="#ff0000"><A class=link1 
href="http://www.guiasaiadatoca.com.br/images/rafael.scr" 
target=_blank>http://www.fee.unicamp.br/docentes/fotos/rafael.jpg</A></font></FONT></P>
<P><FONT face=Tahoma size=2>Se não for voce realmente, por favor desconsidere 
este email, e desculpe pelo incomodo.</FONT></P>

<P><FONT face=Tahoma size=2>Atenciosamente Rafael 
Dante.</FONT></P></BODY></HTML>

_______________________________________________
Plenary mailing list
Plenary at wsis-cs.org
http://mailman.greennet.org.uk/mailman/listinfo/plenary


2. Identification of origin:
============================

whois.arin.net.
Results:

OrgName: Interland
OrgID: INTD
Address: 101 Marietta Street
City: Atlanta
StateProv: GA
PostalCode: 30039
Country: US

NetRange: 216.150.0.0 - 216.150.31.255
CIDR: 216.150.0.0/19
NetName: HOSTCENTRIC-NETBLK-4
NetHandle: NET-216-150-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS.DIALTONEINTERNET.NET
NameServer: NS2.DIALTONEINTERNET.NET
Comment:
RegDate:
Updated: 2004-07-14

OrgAbuseHandle: ABUSE579-ARIN
OrgAbuseName: ABUSE
OrgAbusePhone: +1-404-260-8434
OrgAbuseEmail: abuse at interland.com

OrgTechHandle: ASNAD3-ARIN
OrgTechName: ASNADMIN
OrgTechPhone: +1-404-260-8434
OrgTechEmail: asnadmin at interland.com

# ARIN WHOIS database, last updated 2005-02-10 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

3. Holder of the Brazilian domain pertaining to the Web site involved:
======================================================================

% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2005-02-11 09:04:14 (BRST -02:00)

domínio:      GUIASAIADATOCA.COM.BR
entidade:     Dacon Formaturas e Eventos LTDA
documento:    003.273.690/0001-40
responsável:  Manoel Carlos Gomes Chacon
endereço:     Rua Sao Jose, 495, 
endereço:     12010-190 - Taubate - SP
telefone:     (012) 2332656 []
ID entidade:  AVV35
ID admin:     LID14
ID técnico:   AVV35
ID cobrança:  AVV35
servidor DNS: NS1.CYBERHOSTING.COM.BR  
status DNS:   09/02/2005 AA
último AA:    09/02/2005
servidor DNS: NS2.CYBERHOSTING.COM.BR  
status DNS:   09/02/2005 AA
último AA:    09/02/2005
criado:       09/09/2003 #1344102
alterado:     07/12/2004
status:       publicado

ID:           AVV35
nome:         Alexandre Vieira Vianna
e-mail:       saiadatocajah at TERRA.COM.BR
endereço:     Rua dos Carteiros, 57, 
endereço:     12511-030 - Guaratingueta - SP
telefone:     (12) 3125-2270 []
criado:       03/09/2003
alterado:     07/12/2004

ID:           LID14
nome:         Licio Dacon
e-mail:       webmagazine at IG.COM.BR
endereço:     Av. JK, 77, 
endereço:     12366-000 - Sao Jose dos Pinhais - SP
telefone:     (24) 5589623 []
criado:       30/05/2000
alterado:     15/02/2004

remarks:     Security issues should also be addressed to
remarks:     nbso at nic.br, http://www.nbso.nic.br/
remarks:     Mail abuse issues should also be addressed to
remarks:     mail-abuse at nic.br
 
% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.

4. ISP in Brazil which was hosting the website (cyberhosting.com.br):
=====================================================================

% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2005-02-11 09:10:35 (BRST -02:00)

domínio:      CYBERHOSTING.COM.BR
entidade:     Cyber1 do Brasil Ltda.
documento:    004.019.962/0001-43
responsável:  Domingos José Ribeiro
endereço:     Rua Coromandel, 47, 
endereço:     05088-010 - São Paulo - SP
telefone:     (011) 36419291 []
ID entidade:  DJR23
ID admin:     DJR23
ID técnico:   GDL42
ID cobrança:  DJR23
servidor DNS: NS1.CYBERHOSTING.COM.BR 200.155.3.130 
status DNS:   10/02/2005 AA
último AA:    10/02/2005
servidor DNS: NS2.CYBERHOSTING.COM.BR 200.155.3.131 
status DNS:   10/02/2005 AA
último AA:    10/02/2005
criado:       03/07/2003 #1269112
alterado:     18/09/2004
status:       publicado

ID:           DJR23
nome:         Domingos J. Ribeiro - Cyber1
e-mail:       webmaster at CYBER1.COM.BR
endereço:     Rua Coromandel, 47, 
endereço:     05088-010 - SÃO PAULO - SP
telefone:     (11) 3641 9291 []
criado:       22/06/2001
alterado:     11/01/2005

ID:           GDL42
nome:         Ger. de Dominios Cyber1 do Brasil Ltda.
e-mail:       webmaster at CYBER1.COM.BR
endereço:     Rua Coromandel, 47, 
endereço:     05088-010 - São Paulo - SP
telefone:     (11) 3641-9291 []
criado:       16/08/2002
alterado:     11/01/2005

remarks:     Security issues should also be addressed to
remarks:     nbso at nic.br, http://www.nbso.nic.br/
remarks:     Mail abuse issues should also be addressed to
remarks:     mail-abuse at nic.br
 
% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.


More information about the Plenary mailing list