South African targeted malware?

[Tokolotshe]

Now why would Google be thanking me for my resume that I did not submit)?

We just received your resume and would like to thank you for your interest in
working at Google. This email confirms that your application has been submitted
for an open position.

Our staffing team will carefully assess your qualifications for the role(s) you
selected and others that may be a fit. Should there be a suitable match, we
will be sure to get in touch with you.

Click on the attached file to review your submitted application.

Have fun and thanks again for applying to Google!

Google Staffing

The email headers tells another story and there is simply no way this side of hell I will be opening my CV-20100120-112.zip attachment on a windows system

Let us first look at the headers:

Return-Path: <resume-thanks@google.com>
X-Original-To: XXXX@XXXX.org
Delivered-To: XXXX@XXXX.org
Received: from relay08.smp.mweb.co.za (relay08.smp.mweb.co.za [196.28.80.28])
by XXXX.org (Postfix) with ESMTPS id 382BBBD803E3
for <XXXX@XXXX.org>; Sat, 6 Nov 2010 11:15:35 +0000 (UTC)
Received: from 41-133-147-146.dsl.mweb.co.za ([41.133.147.146] helo=google.com)
by relay08.smp.mweb.co.za with esmtp (Exim 4.72)
id 1PEgjV-0001zM-1R
for <XXXX@XXXX.org>; Sat, 06 Nov 2010 13:15:29 +0200
From: resume-thanks@google.com
To: XXXX@XXXX.org
Subject: Thank you from Google!
Date: Sat, 6 Nov 2010 13:13:53 +0200
MIME-Version: 1.0

I doubt Google will be using MWeb

Now off to my favourite *ix boxen, open the mail there, save the attachment and upload it to VirusTotal for analysis ... and we see my suspicion (duh!) is well founded.

However, more to the point, we find a link to Prevx:

Country Of Origin

The filename NVTASKBARINE.EXE was first seen on Nov 4 2010 in the following geographical region of the Prevx community:

* South Africa on Nov 4 2010

Naturally MWeb were alerted that one of their users is now a luser and needs some serious TLC so as to not let us all also become lusers.

Kudos to MWeb!

I received an auto-responder case number from MWeb immedately, but hardly five minutes after my abuse report MWeb had read my email (don't you love read-notfy?). So at least it is not sitting in a queue while the bored abuse op is picking his nose, as is the case with another large wireless operator with an orange logo (the older one of the two).

However, if you see this one in your box, please report it. If South Africa is being targeted, we need to stop it ASAP.

The attachment file may have the following names or may be the name of the file inside the attached zip:
* WINRG.EXE
* WINRG[1].EXE
* DOCUMENT.EXE
* MAGICISO MAGIC ISO MAKER V5.5.0276 CRACKED.EXE
* ANTI-PORN V13.5.12.29.EXE
* RAPIDSHARE KILLER AIO 2010.EXE
* K-LITE MEGA CODEC V5.6.1 PORTABLE.EXE
* DOWNLOAD ACCELERATOR PLUS V9.EXE
* STARCRAFT2 BATTLE.NET KEY GENERATOR.EXE
* K-LITE MEGA CODEC V5.5.1.EXE
* AD-AWARE 2010.EXE
* ASHAMPOO SNAP 3.02.EXE
* BLAZE DVD PLAYER PRO V6.52.EXE
* ADOBE ACROBAT READER KEYGEN.EXE
* STARCRAFT2 BATTLE.NET KEYS.TXT.EXE
* NERO 9 9.2.6.0 KEYGEN.EXE
* MOTOROLA, NOKIA, ERICSSON MOBIL PHONE TOOLS.EXE
* NORTON INTERNET SECURITY 2010 CRACK.EXE
* ADOBE ILLUSTRATOR CS4 CRACK.EXE
* AVS VIDEO CONVERTER V6.3.1.365 CRACKED.EXE
* INTERNET DOWNLOAD MANAGER V5.EXE
* BITDEFENDER ANTIVIRUS 2010 KEYGEN.EXE
* PDF PASSWORD REMOVER (WORKS WITH ALL ACROBAT READER).EXE
* ADOBE PHOTOSHOP CS5 CRACK.EXE
* DAEMON TOOLS PRO 4.50.EXE
* DOWNLOAD BOOST 2.0.EXE
* VMWARE KEYGEN.EXE
* UNIBLUE REGISTRYBOOSTER 2010.EXE
* VMWARE 7.0 KEYGEN.EXE
* TOTAL COMMANDER7 LICENSE+KEYGEN.EXE
* KASPERSKY ANTIVIRUS 2010 CRACK.EXE
* GRAND THEFT AUTO EPISODES FROM LIBERTY CITY 2010.EXE
* STARCRAFT2 REGION-UNLOCKER.EXE
* RAPIDSHARE AUTO DOWNLOADER 3.8.EXE
* TWITTER FRIENDADDER 2.1.1.EXE
* TROJAN KILLER V2.9.4173.EXE
* MICROSOFT.WINDOWS 7 ULTIMATE FINAL ACTIVATOR+KEYGEN X86.EXE
* STARCRAFT2 SERVER-CHANGER.EXE
* WINDOWS2008 KEYGEN AND ACTIVATOR.EXE
* PDF-XCHANGE PRO.EXE
* WINDOWS 7 ULTIMATE KEYGEN.EXE
* TUNEUP ULTILITIES 2010.EXE
* SONY VEGAS PRO V9.0A INCL CRACK.EXE
* WINDOWS XP PRO CORP SP3 VALID-KEY GENERATOR.EXE
* PDF TO WORD CONVERTER 3.0.EXE
* LIMEWIRE PRO V4.18.3.EXE
* MCAFEE TOTAL PROTECTION 2010.EXE
* PDF UNLOCKER V2.0.3.EXE
* MYSPACE THEME COLLECTION.EXE
* ALCOHOL 120 V1.9.7.EXE
* CLEANMYPC REGISTRY CLEANER V6.02.EXE
* MP3 SPLITTER AND JOINER PRO V3.48.EXE
* IMAGE SIZE REDUCER PRO V1.0.1.EXE
* YOUTUBE MUSIC DOWNLOADER 1.0.EXE
* SOPHOS ANTIVIRUS UPDATER BYPASS.EXE
* GOOGLE SKETCHUP 7.1 PRO.EXE
* WINDOWS 2008 ENTERPRISE SERVER VMWARE VIRTUAL MACHINE.EXE
* NORTON ANTI-VIRUS 2010 CRACK.EXE
* DVD TOOLS NERO 10.5.6.0.EXE
* SUPER UTILITIES PRO 2009 11.0.EXE
* POWER ISO V4.2 + KEYGEN AXXO.EXE
* WINRAR V3.X KEYGEN RAZOR.EXE
* WINAMP.PRO.V7.33.POWERPACK.PORTABLE+INSTALLER.EXE
* G-FORCE PLATINUM V3.7.5.EXE
* STARCRAFT2.EXE
* ANYDVD HD V.6.3.1.8 BETA INCL CRACK.EXE
* YOUTUBEGET 5.4.EXE
* DIVX PRO 7 + KEYMAKER.EXE
* MS09-067.EXE

 

[cpu.]

I'll advice you to learn the difference between spam and real mail. Otherwise you're gonna end up with a d|ck bigger than your arm, several honorary degrees and high on meds.

 

[HapticSimian]

I'll advice you to learn the difference between spam and real mail. Otherwise you're gonna end up with a d|ck bigger than your arm, several honorary degrees and high on meds.

[video=youtube;mE3ehB9jpts]http://www.youtube.com/watch?v=mE3ehB9jpts&feature=related[/video]

 

[cpu.]

Neow!

 

[The_Unbeliever]

Smart sysadmins always have one or two Unix boxen available to dissect such junk

I got something in the same vein from Coca-Cola a while ago - and submitted it to virustotal via an unix box... and discarded said email soon thereafter.

@OP - do you make use of Spamhaus' ZEN list?