I've seen a handful more of the same malware today spawned from similar\nspams that I saw yesterday.\n\nThe link for today's package is here:\n\nhttp://www.fileden.com/files/2008/7/19/2010382/DEC-9.ZIP\n\nPassword is "a" (no quotes). There's 2 subdirectories, one for each of\n2 examples that are pretty much the same thing.\n\nMost of these domains have been taken down a few hours ago, but I have\ntheir matching IP address here:\n\n==============\nSpam 1:\n\nRoot url:\nhxxp://probstgroup.com/15cd0f/index.html\n\nBrowser re-directed to:\nhxxp://wonderfulwrench.com/main.php?page=977334ca118fcb8c\n\nPdf downloaded from:\nhxxp://wonderfulwrench.com/content/fdp1.php?f=49\n\nprobstgroup.com -> 188.8.131.52\nwonderfulwrench.com -> 184.108.40.206\n\nlkco.in -> 220.127.116.11\nmusicdelight.info -> 18.104.22.168\nwww.lesposedimary.it -> 22.214.171.124\nanartistbooks.com -> 126.96.36.199\n\n========================\nSpam 2:\n\nhxxp://megamllc.com/dbc8d0/index.html megamllc.com -> 188.8.131.52\nhxxp://onurdogaltas.com/ajaxam.js onurdogaltas.com -> 184.108.40.206\nhxxp://organy.art.pl/ajaxam.js organy.art.pl -> 220.127.116.11\nhxxp://servispro.cz/ajaxam.js servispro.cz -> 18.104.22.168\nhxxp://www.laudarte.com/jscounter.js laudarte.com -> 22.214.171.124\n\nHere's an example of the spam:\n\n=================\nReturn-Path: <>\nReceived: from SEFRMUZ ([126.96.36.199])\nDate: Thu, 8 Dec 2011 22:07:33 -0500\nFrom: "The Electronic Payments Association" <>\nSubject: ACH transfer report\n\nThe ACH transfer (ID: 1006781299236), recently initiated from your\nchecking account (by you or any other person), was rejected by the\nElectronic Payments Association.\n\nRejected transfer\nTransaction ID: 1006781292346\nRejection Reason See details in the report below\nTransaction Report\nreport_1006781234236.doc (Microsoft Word Document)\n\n(doc file is hyper-linked to hxxp://probstgroup.com/15cd0f/index.html)\n\n13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100\n© 2011 NACHA - The Electronic Payments Association\n=========================\n\nprobstgroup.com -> 188.8.131.52\n\nSecond similar e-mail came in at Fri, 9 Dec 2011 06:00:44. Subject was\nslightly different (ACH rejection notice). Content was exactly the same\nexcept for the hyperlink:\n\nhxxp://megamllc.com/dbc8d0/index.html\nmegamllc.com -> 184.108.40.206\n\n============================================\n\nNotes / Observations\n\nI notices that regsvr32 transiently ran during the malware episode on my\nwin-98 system. I substituted the real "regsvr32.exe" for a custom -\ncompiled "dummy" that logged the argument passed to it. Here's an\nexample of the output of that log file:\n\nregsvr32 -s 0.634405514320961.exe\n\nSo regsvr32 was invoked in silent mode to execute the malare (but cctask\ndid not actually show me that the .exe file was ever "running" - maybe\nit failed to quickly to be seen).\n\nThis raises an important question: Can (or should) regsvr32.exe be\nremoved (or moved) on any given win32 system as an anti-malware tactic?\n\nI understand that it's probably a good idea to have a\nproperly-functioning regsvr32 when you want to install new software -\nbut is it needed at other times?\n\nOther question:\n\nDoes this particular malware perform changes to prefs.js that should be\nun-done?