Spamhuntress

Someone at 195.24.194.5 created a new page on my wiki. I decided to check that IP number out. It’s got a long and distinguished career at wiki spam, and it’s an open proxy. I believe wiki spammers are creating new orphan pages to spam. That would make more sense than defacing pages that already holds content, right? And it might quietly flit by a busy admin without him or her noticing.

Anyway, I looked for wikispam, and one of the users of said proxy had a very interesting page. At scarletton.teenposes.com/bankers-long-term-care-insurance.html I found an iframe that went to 195.225.177.33. It then 302 redirected to 195.225.177.33/vx/ where I found a trojan waiting to be downloaded.

I don’t have a clue what it does (not coming near my system!), but the name of the file is win32.exe.

The host is netcathost in Ukraine. Ukraine is the home of a LOT of spam, so that’s not surprising.

I went further, trying to figure out who owns this thing…

I found a domain on that server, with this whois info:

Danyelle Christian
Danyelle Christian (mortiis@ukr.net)
Chocho Street 16
Highland Beach
null,96365
US
Tel. +09.6070231

Fake name and address, in other words.

Those domains and that whois info is implicated in browser hijacking in the past. McAfee christened a trojan associated with one of the domains StartPage-FX.