New botnet spammed malware – Peals.F!plock

This is a big one, coming from hitherto unlisted botnet addresses – and it’s coming right now. I’m cross referencing the blacklisted addresses now to see if I can see who’s had an expansion lately. Spamassassin isn’t that great at picking it up, with about 10% getting straight through and about 90% failing to reach five points.

It’s a Microsoft Word document, apparently containing controversial malware Peals.F!plock. Little is known about this, other than Security Essentials flagging it but others say it’s a false positive. Well someone’s gone to a lot of trouble to sent it a “false positive”.

The messages all claim to come from “Stephanie Greaves”, sgreaves at, with a fixed subject of COS007202, which is unusual. You’d have thought that if you’re using a clean botnet you’d randomise things a bit. This is a genuine domain name (with no SPF – come on guys!) and for all I know, Stephanie Greaves is the name of a genuine victim. Their MX is a virtual server and they’re probably wondering why it’s been heavily loaded since 9am.

Whoever’s doing this has a pretty comprehensive spamming list, containing nearly all of my honeypots.


This same malware is now being sent out claiming to be from with the subject “Your receipt for today’s Ocado delivery”, and an HTML message looking like an Ocado receipt (as far as I can tell – I shop for my own groceries!) Again, Ocado doesn’t seem to have SPF set up.

The message text is:




Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.

Your order doesn’t have any substitutions, everything’s there.

See you later,


Please generate and paste your ad code here. If left empty, the ad location will be highlighted on your blog pages with a reminder to enter your code. Mid-Post


The fake bombardier one reads:

Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD


Update: 20-Oct-15 11:22

The malware spam now looks like this:

From: Shaun Buzzard <>
To: <to_addr}}>  <-- Note error
Subject: Order

Hi ,

Please find attached order.


Kind regards.

Shaun Buzzard



Leave a Reply

Your email address will not be published. Required fields are marked *