Snort mailing list archives

Previous By Date Next
Previous By Thread Next

New phishing/Malware campaign

From: "Lay, James" <james.lay () wincofoods com>
Date: Mon, 20 Jun 2011 09:42:56 -0600
Thought folks may want to work on a sig for this...

 

Link that contains a copy of the email (I've seen multiple blog sites
that have this...the emails are exactly like this...looks like malicious
posts..do a Google search for "Federal Tax transfer rejected pdf.exe").
Enjoy.

 

James

 

 

http://gsujinbiblestudies.blogspot.com/2011/06/rejected-federal-tax-tran
saction.html

 

Headers:

 

GET /TAX25379001.pdf.exe HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application,
application/x-ms-xbap, application/vnd.ms-xpsdocument,
application/xaml+xml, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET4.0C)

Accept-Encoding: gzip, deflate

Connection: Keep-Alive

Host: irs-web-report.info

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2011 15:29:32 GMT

Set-Cookie: BX=64qgorh6vupqs&b=3&s=0f; expires=Tue, 02-Jun-2037 20:00:00
GMT; path=/; domain=.irs-web-report.info

P3P: policyref="http://info.yahoo.com/w3c/p3p.xml";, CP="CAO DSP COR CUR
ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi
PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC
GOV"

Last-Modified: Mon, 20 Jun 2011 11:45:11 GMT

Accept-Ranges: bytes

Content-Length: 228864

Content-Type: application/octet-stream

Age: 0

Connection: close

Server: YTS/1.19.8

 

 

MZP.....................@...............................................
!..L.!..This program must be run under Win32


------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation
Previous By Date Next
Previous By Thread Next

Current thread: