I’m not sure if this is new or not, but avast 6.0.1125 database version 110602-2 didn’t pick it up, nor did Malwarebytes’ Anti-Malware 1.51.0.1200 database version 6756 (2011-06-02). Spybot - Search & Destroy 1.6.2.46 (2011-06-01 detection update) didn’t catch it either.
The spam hit my e-mail two days ago on both my PC and my mobile device. The indexz29X.php appears to be some sort of virus or at the very least an e-mail hijack that turns your e-mail into a spam-bot.
I’m not knowledgeable enough to tinker with it so I’ll leave that to the experts. I am knowledgeable enough not to click on spam links in my e-mails though. I think it’s safe to say that any URL containing “indexz29X.php” is suspicious to say the least.
VirusTotal has nothing on them. Wepawet shows it as benign and Uiribl has only the fautenhau-gastronomie.de site blacklisted.
I’m posting the links below for the security experts to play with from safe test-boxes.
THE LINKS BELOW ARE THE SUSPECTED PHP VIRUS LINKS: CLICK AT YOUR OWN RISK
hxtp://www.gaqm.fr/indexz29X.php
hxtp://www.claudioschifano.com/indexz29X.php
hxtp://www.international-exhibitionist.org/indexz29X.php
hxtp://www.nmeh.mobi/indexz29X.php
hxtp://web89.server102.greatnet.de/indexz29X.php
hxtp://www.fautenhau-gastronomie.de/indexz29X.php
hxtp://www.ilfieramosca.it/indexz29X.php
hxtp://bytefest.hostuju.cz/indexz29X.php
and a new iteration:
hxtp://s013w192.srv13.mw-internet.net/indexz33X.php
All sites appear to redirect to:
Possible malware/virus link.
hxtp://rxpharmacytabletsdrugstore.net
TrendMicro reports this as a Malware site and Opera reports this as a phishing site.
Wepawet had the following results on this site, also showing it to be benign.
http://wepawet.iseclab.org/view.php?hash=dfd2e96b4cc5e58848ce91d87a30a76d&t=1307085785&type=js