Silent noise - about spam, trojans and other nasty stuff

Spam received today, subject is :

I am lonely and I try to enjoy a life in itself.,Great ASS.

http://znd6728.livejournal.com

I prayed that this God would mend,Playing on Cam with my Wet Pink Pussy, Cam2Cam.

I can't remember seeing Livejournal used as an entry point before.

Anyway, the Livejournal blog is pulling images from dfrthgv.com and the link goes to
http://dfrthgv. com/hms/ (61.55.140.157).
The spam indicates porn, but dfrthgv. com redirects to different pharmacy sites.

To start in the middle:
New version of a known malware (or scareware, rogue security software or whatever you prefer to call it) called MalwareDoc, hosted at malware-doc. com.

The file downloaded is called MDSetup.exe, VirusTotal score is 0/39.

A present from the same gang using the name "AntispyKnight".

This is going to be a bit messy.

The starting point

It all started with a spam:
"How many girls you will be able to do happy eating one only pill!"

Fresh spam.

Subject: ***SPAM*** Updated Billing Information

Dear Senior,

Losing weight is possible. Don't despair. Take back control of your
weight and most importantly, your life. If others can do it, why not
you?

FatLoss4Idiots program helps you to lose weight, and it does that in the
most healthy-way, unlike other fad diets in the market. Also, with
fatloss4idiots, you are able to generate custom diet plans that compute
all of your calories.

But as we said, the decision is yours. Fatloss4idiots has proved to work

I earlier wrote that the domains hosted on the Asprox botnet redirected to Canadian/European sites.
That were domains using the usual "naming pattern" of Asprox hosted domains, like site60.co.uk, ioctl2.jp, ole55.us etc.

Now you find other domain names like bestpharmweb.com and alike directly hosted on the botnet.
They still redirect to Canadian Pharmacy sites.
And I have not been able to spot new domain names using the older "naming pattern" the last days.

(First written December 02, last updated December 05)

Now redirecting to "European Pharmacy" sites (aka Canadian Pharmacy). And set up for some phishing.

0secure.bz, 27go.co.uk, 42cert.asia, 42snmp.name, 51apps.gs, 51exec.gs, 63mode.me, 6query.us, 77temp.eu, 79tmp.ws 9batch.tk, ide92.ws, aspx37.me, ioctl2.jp, ole55.us, page65.tk, site60.co.uk

rollick@ / pugilism@

When visiting e.g. ole55. us I get redirected to leastcountry.com via the HTTP-header:
Location: http://leastcountry.com

Screenshot (click on it for a bigger one):

I have briefly mentioned in one of the last postings that there are similarities between the email addresses in the whois info for spamvertized Anatrim domains and domains hosted on the Asprox botnet.
Asprox domains Sept 24 - 25
See that one for whois info for complete whois for domains using "mittener" in the emailaddress.