InBoxRevenge KS Forum

[AlphaCentauri]

I uploaded it to virustotal. It's now up to 6/39 products detecting it (one of which is actually calling it Storm/Nuwar).

Virusbuster is not detecting it. It's entirely likely the version there right now is not the same one you uploaded, as they change it very frequently. It's also possible they're distributing a corrupted copy of the trojan, though this isn't an unusually poor detection rate for either Storm or Waledac due to their rapid mutations.
http://www.virustotal.com/analisis/10cb ... ced9886cff

MD5...: 461dd624287a18aaa1d7a84afcdd80fc
Antivirus Version ........ Last Update ........ Result
a-squared 4.0.0.93 ........ 2009.02.14 ........ -
AhnLab-V3 5.0.0.2 ........ 2009.02.13 ........ -
AntiVir 7.9.0.79 ........ 2009.02.13 ........ -
Authentium 5.1.0.4 ........ 2009.02.14 ........ -
Avast 4.8.1335.0 ........ 2009.02.14 ........ -
AVG 8.0.0.237 ........ 2009.02.14 ........ I-Worm/Nuwar.AA
BitDefender 7.2 ........ 2009.02.14 ........ Trojan.Waledac.Gen.1
CAT-QuickHeal 10 ........ 2009.02.13 ........ (Suspicious) - DNAScan
ClamAV 0.94.1 ........ 2009.02.14 ........ -
Comodo 976 ........ 2009.02.13 ........ -
DrWeb 4.44.0.09170 ........ 2009.02.14 ........ -
eSafe 7.0.17.0 ........ 2009.02.12 ........ -
eTrust-Vet 31.6.6357 ........ 2009.02.14 ........ -
F-Prot 4.4.4.56 ........ 2009.02.13 ........ -
F-Secure 8.0.14470.0 ........ 2009.02.14 ........ -
Fortinet 3.117.0.0 ........ 2009.02.14 ........ W32/PackWaledac.A
GData 19 ........ 2009.02.14 ........ Trojan.Waledac.Gen.1
Ikarus T3.1.1.45.0 ........ 2009.02.14 ........ -
K7AntiVirus 7.10.629 ........ 2009.02.13 ........ -
Kaspersky 7.0.0.125 ........ 2009.02.14 ........ -
McAfee 5525 ........ 2009.02.13 ........ -
McAfee+Artemis 5525 ........ 2009.02.14 ........ -
Microsoft 1.4306 ........ 2009.02.14 ........ -
NOD32 3852 ........ 2009.02.13 ........ -
Norman 6.00.02 ........ 2009.02.13 ........ -
nProtect 2009.1.8.0 ........ 2009.02.14 ........ -
Panda 10.0.0.10 ........ 2009.02.13 ........ -
PCTools 4.4.2.0 ........ 2009.02.13 ........ -
Prevx1 V2 ........ 2009.02.14 ........ -
Rising 21.16.50.00 ........ 2009.02.14 ........ -
SecureWeb-Gateway 6.7.6 ........ 2009.02.14 ........ -
Sophos 4.38.0 ........ 2009.02.14 ........ Mal/WaledPak-B
Sunbelt 3.2.1851.2 ........ 2009.02.12 ........ -
Symantec 10 ........ 2009.02.14 ........ -
TheHacker 6.3.2.1.256 ........ 2009.02.14 ........ -
TrendMicro 8.700.0.1004 ........ 2009.02.13 ........ -
VBA32 3.12.8.12 ........ 2009.02.14 ........ -
ViRobot 2009.2.14.1606 ........ 2009.02.14 ........ -
VirusBuster 4.5.11.0 ........ 2009.02.13 ........ -

I've sent it to AntiVir, though I think they get a copy of anything submitted to VirusTotal. It's stupid for Avast to not have a reporting mechanism. You're doing them a favor taking the time to keep them competitive.

[AlphaCentauri]

Just for comparison, here is a current analysis of one I uploaded Feb 8:
http://www.virustotal.com/analisis/53e9 ... 73297f8966
As of Feb 12, the detection rate was 33/39. But initially, it was only 10/39, a pretty typical rate:
http://spywarehammer.com/simplemachines ... 4#msg14334

The trojans are encrypted, and their function is to allow other malware to be downloaded, so it's possible your AV program could initially miss them at download, but then detect them when they try to actually execute, though I wouldn't rely on it. But you definitely can't trust a download just because your AV program doesn't detect it.

I went with Avira after watching the malware forum at CC to see which programs did best. Avira came out on top, but none got 100%. Kaspersky and Symantec do pretty well, but are significantly more expensive than Avira's full AV/antispyware package. (Avira's AV alone is free).

[MyCanadian Spammerdeath]

That's a good tip, I may try Avira.

[AlphaCentauri]

Today's spam:

Subject: A Valentine's Day greetings for you
Billy has sent a Valentine greeting card and wrote:
"My Heart Wants To Say..."

It is waiting for you at our card site, go ahead and see it:
http://vq.cherishletter.com/?id=[code numbers]
Best Wishes, Christmas-Egreetings.Com.

Payload = dev.exe

MD5...: a1a05689f959792c3ce81a7eb2fb0edb
http://www.virustotal.com/analisis/0dd3 ... f0a79193a4
Antivirus Version ........ Last Update ........ Result
a-squared 4.0.0.93 ........ 2009.02.15 ........ -
AhnLab-V3 5.0.0.2 ........ 2009.02.14 ........ -
AntiVir 7.9.0.79 ........ 2009.02.13 ........ -
Authentium 5.1.0.4 ........ 2009.02.14 ........ -
Avast 4.8.1335.0 ........ 2009.02.14 ........ -
AVG 8.0.0.237 ........ 2009.02.14 ........ -
BitDefender 7.2 ........ 2009.02.15 ........ -
CAT-QuickHeal 10 ........ 2009.02.13 ........ (Suspicious) - DNAScan
ClamAV 0.94.1 ........ 2009.02.14 ........ -
Comodo 977 ........ 2009.02.14 ........ -
DrWeb 4.44.0.09170 ........ 2009.02.15 ........ -
eSafe 7.0.17.0 ........ 2009.02.12 ........ -
eTrust-Vet 31.6.6358 ........ 2009.02.14 ........ -
F-Prot 4.4.4.56 ........ 2009.02.14 ........ -
F-Secure 8.0.14470.0 ........ 2009.02.15 ........ -
Fortinet 3.117.0.0 ........ 2009.02.14 ........ W32/Waledac.D!worm
GData 19 ........ 2009.02.15 ........ -
Ikarus T3.1.1.45.0 ........ 2009.02.15 ........ -
K7AntiVirus 7.10.630 ........ 2009.02.14 ........ -
Kaspersky 7.0.0.125 ........ 2009.02.15 ........ -
McAfee 5526 ........ 2009.02.14 ........ -
McAfee+Artemis 5526 ........ 2009.02.14 ........ -
Microsoft 1.4306 ........ 2009.02.14 ........ -
NOD32 3853 ........ 2009.02.14 ........ a variant of Win32/Kryptik.HG
Norman 6.00.02 ........ 2009.02.13 ........ -
nProtect 2009.1.8.0 ........ 2009.02.15 ........ -
Panda 10.0.0.10 ........ 2009.02.14 ........ -
PCTools 4.4.2.0 ........ 2009.02.14 ........ -
Prevx1 V2 ........ 2009.02.15 ........ -
Rising 21.16.52.00 ........ 2009.02.14 ........ -
SecureWeb-Gateway 6.7.6 ........ 2009.02.14 ........ -
Sophos 4.38.0 ........ 2009.02.15 ........ Mal/WaledPak-A
Sunbelt 3.2.1851.2 ........ 2009.02.12 ........ -
Symantec 10 ........ 2009.02.15 ........ -
TheHacker 6.3.2.1.257 ........ 2009.02.15 ........ -
TrendMicro 8.700.0.1004 ........ 2009.02.14 ........ -
VBA32 3.12.8.12 ........ 2009.02.14 ........ -
ViRobot 2009.2.14.1607 ........ 2009.02.14 ........ -
VirusBuster 4.5.11.0 ........ 2009.02.14 ........ Trojan.Waledac.Gen!Pac.6

The statement on the VirusBuster website they they have the only product that can detect Waledac -- that was pretty strange. It couldn't be true more than a day at a time, since the code gets changed all the time. And they're located in Eastern Europe ... it's just a strange claim to make.

[MyCanadian Spammerdeath]

The statement on the VirusBuster website they they have the only product that can detect Waledac -- that was pretty strange. It couldn't be true more than a day at a time, since the code gets changed all the time. And they're located in Eastern Europe ... it's just a strange claim to make.

Not sure what their location means.

They were likely quoting the message I sent them.

[Benzyl]

httq://bluevalentineonline.com/ - Love vcard.exe 434KB.
httq://artmarket.or.kr/ecard.exe 52k , first one of many recently to not be broken.

[MyCanadian Spammerdeath]

nginx (Engine-X) is the worm's figerprint (or worm casts?)

No, it's an httpd, or webserver software - in very common use, not always illicitly.

[AlphaCentauri]

It's interesting to look at web stats to see what search terms are leading people to your websites. I found this plaintive one:

win32 downadup can't find it i want kill it

I feel his pain.

[meep]

Interesting post on the MyWot forum (I replied to it already referencing SA reviewer work).

http://www.mywot.com/en/forum/3010-spam ... mment-9580

Sat 04 Apr 2009 08:33:29 AM UTC — g7w
Thought I'd start one.
Rate them RED
----------------------------

malingerie-coquine.com - spam AND adult (R) content

urbanfear.com - Waledac worm do NOT download the "codec / Flash upgrade"

wowmoral.com
evwiriz.cn
fiswpree.cn
raytajav.cn
famefour.com
penyolut.cn
zuxpukuq.cn
nemzawuc.cn
zestpearl.com
moversexy.com
famenice.com
doescape.com
bexkebuz.cn
wiisnmhu.cn
rasqicot.cn
livhifaq.cn
mumtijoz.cn
genyuzuv.cn
fspiooei.cn
wekmihim.cn
michrise.com
lagcociy.cn
hiltfast.com
qoznezuq.cn
vohfahaq.cn
hapcaciw.cn
xfvjoier.cn
kalyuveb.cn
goairmed.at
gavehill.com
gurleveq.cn
funmexek.cn
tonjotob.cn
pacerest.com
glovesallkinds.at
cazjusuz.cn
arezzotv.net
gibqoliw.cn
jorzpoo.cn
globalweddinglist.at
kamnujat.cn
yiklukoj.cn
michpion.com
womgoloq.cn
ssifgwwf.cn
grabcert.com
dadrofed.cn
soopportal.org
moodycows.com
sifphifh.cn
zewhojur.cn
govlexus.cn
completesorts.at
tangybest.com
pendmode.com
jorzpoo.cn
peltrein.com
pendmuch.com
pendmode.com
ifseghyu.cn
peltrein.com
vitalagree.com
vitalace.com
doestick.com
sswhipfi.cn
wuhebuhop.cn
rearlace.com
spiele-umsonst.com
xcbxpehi.cn
millneat.com
lacecall.com
nogipozun.cn
issfigeh.cn
wawawineg.cn
michpick.com
proudrest.com
pevenohoq.cn

[AlphaCentauri]

We've been neglecting Waledac -- they're pretty good at listwashing, so I don't see their spams. Gary Warner has been riding herd on them, though:
http://garwarner.blogspot.com/

Since his post, there is a newer version of the trojan with a different MD5 number, still very poorly detected:

http://www.virustotal.com/analisis/0c85 ... 1246838517
Antivirus Result
a-squared -
AhnLab-V3 -
AntiVir -
Antiy-AVL -
Authentium -
Avast -
AVG FakeAlert.LG
BitDefender -
CAT-QuickHeal (Suspicious) - DNAScan
ClamAV -
Comodo -
DrWeb -
eSafe -
eTrust-Vet -
F-Prot -
F-Secure Trojan:W32/Waledac.gen!J
Fortinet -
GData -
Ikarus -
Jiangmin -
K7AntiVirus -
Kaspersky -
McAfee -
McAfee+Artemis -
McAfee-GW-Edition Heuristic.LooksLike.Worm.J
Microsoft Trojan:Win32/Waledac.gen!A
NOD32 -
Norman -
nProtect -
Panda -
PCTools -
Prevx -
Rising -
Sophos Sus/Behav-283
Sunbelt -
Symantec -
TheHacker -
TrendMicro -
VBA32 -
ViRobot -
VirusBuster -
MD5...: 12c62c978b48e6302d6d674a9536a650

It's the standard fake YouTube screen that downloads the trojan if you click on it. Gary's got pix and a nice analysis of what the trojan does if you allow it to execute.

Nameservers:

ns[1-6].gemells.com
ns[1-6].entrank.com
ns[1-6].smophi.com
ns[1-6].biumer.com

Some domain names that are still alive:

fireholiday.com
fireworksholiday.com
freeindependence.com
handyphoneworld.com
happyindependence.com
holidayfirework.com
holidaysfirework.com
interactiveindependence.com
miosmschat.com
movie4thjuly.com
movieindependence.com
movies4thjuly.com
moviesfireworks.com
moviesindependence.com
outdoorindependence.com
superhandycap.com
thehandygal.com
video4thjuly.com
videoindependence.com
yourhandyhome.com

Typical of waledac, the sites run on a one-seat botnet with a zero-second refresh rate:

; <<>> DiG 9.2.3 <<>> yourhandyhome.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yourhandyhome.com. IN A

;; ANSWER SECTION:
yourhandyhome.com. 0 IN A 217.129.35.29

;; Query time: 1078 msec
;; SERVER: [munged])
;; WHEN: Sun Jul 05 20:34:48 2009
;; MSG SIZE rcvd: 51

(The "0" in "0 IN A" refers to the "time to live." That's how many seconds you can assume the domain will have the same IP address (A record) before it changes. When a computer queries to find out where the domain is, the TTL tells it how long it can cache the answer before it should go to the trouble of asking again. Most domains will have a TTL of 24 hours, which is why they tell you it may take that long before changes may show up. But this one tells them not to cache the information at all - they are to ask the nameserver where the domain is every time they need the information.)

Practically speaking, if you look up a waledac domain over and over, it will give you about 3 IP addresses per second. I checked for less than 5 minutes (00:09 - 00:14 UTC, 6 July 09) and got over a thousand, of which 136 were unique:

24.123.184.60
24.174.24.208
24.76.198.232
41.232.106.142
60.249.10.14
64.150.150.45
64.33.142.114
67.79.73.134
68.186.136.124
68.51.235.110
68.56.57.51
68.59.7.2
68.91.252.119
69.141.140.53
70.115.3.125
70.64.206.188
70.65.39.51
71.197.110.87
72.10.29.19
72.252.108.209
72.51.202.116
72.71.8.125
76.103.252.191
76.180.30.16
76.19.116.242
76.212.145.135
76.30.13.50
76.84.204.85
76.94.66.148
77.124.174.5
77.240.234.214
77.248.64.52
77.46.132.132
77.53.74.94
77.71.42.199
80.48.94.213
81.97.116.82
82.234.116.62
82.236.249.239
83.16.19.51
83.165.169.122
83.177.129.116
83.230.239.239
83.254.57.208
83.255.83.121
84.108.6.12
84.108.85.123
84.109.125.192
84.109.44.112
84.110.94.48
84.111.15.63
85.11.215.17
85.122.128.25
85.138.122.15
85.138.252.138
85.152.181.179
85.224.113.61
85.229.65.20
85.230.151.68
85.26.116.135
85.65.88.138
86.106.44.197
87.207.131.32
87.229.17.147
88.174.242.235
89.110.192.169
89.135.133.66
89.136.60.45
89.138.240.41
89.215.188.138
89.216.150.93
89.231.218.124
89.234.217.228
89.235.141.250
89.32.65.233
89.37.24.212
89.46.174.132
89.46.235.156
89.76.8.177
92.247.122.3
92.81.192.134
93.105.15.32
93.113.207.73
93.123.3.165
93.123.46.53
93.152.182.170
93.156.203.204
98.198.85.145
98.218.237.84
98.239.10.9
98.25.97.68
112.200.184.129
112.76.132.115
113.131.253.61
116.111.161.224
116.123.165.121
116.125.115.245
116.72.123.106
117.74.9.183
119.77.134.231
119.95.246.119
121.170.65.181
121.178.243.240
121.247.73.23
140.116.81.202
151.59.15.14
156.17.228.59
189.105.131.131
189.32.38.186
189.34.121.91
189.46.185.195
189.68.137.165
200.123.105.156
200.32.170.232
200.82.158.164
200.82.206.96
200.84.86.205
200.87.133.244
201.213.133.20
201.213.252.42
201.215.230.207
201.6.222.44
201.76.71.217
201.77.131.208
201.86.98.187
204.116.207.179
209.97.84.84
210.192.192.186
210.97.183.86
211.79.112.67
213.89.24.254
217.129.35.29
217.144.223.121
217.210.182.197
217.219.61.203
220.123.252.37

Lots of US IP addresses there -- no wonder the fellow in Hungary viewtopic.php?f=1&t=2925 was frustrated at being expected to stay on top of all the pwn3d Windows machines on his network.

And a reminder to everyone -- these are very highly rated antivirus products, but almost all missed it today, even after Gary submitted a previous version two days ago. If something is suspicious, assume it is malware. Don't rely on your AV program to tell you. Malware from links in spam is especially likely to be missed, since the authors can keep uploading newer versions to the same domain.

[AlphaCentauri]

Fresh Waledac domains reported on Garwarner's blog:
http://garwarner.blogspot.com/2009/12/n ... -card.html

They've made it a little harder to find them ahead of the spam by requiring a subdomain and file name to view the page:
example domain: bpn.bedioger.com/postcard.html
(warning -- live domain!)
though Gary reports they're interchangeable.

Registered with who else -- China Springboard. But they didn't use the .cn TLD, so they have decided ICANN is less to be feared than CNNIC, apparently.

The sites have a picture of fireworks and say "Happy New Year," but don't appear to do anything. But there a huge block of javascript code that just links to "bpn.bedioger.com/counter.php" That links to eiyeqgjdcerm.com/ld/trest1/
The trail goes cold there, because that domain has either been deleted or never registered. But you can simply load the file /wcap.exe from the spammed subdomain anyway.

Sudosecure has a really nice looking interface with their listing of IP addresses that they're finding:
http://www.sudosecure.net/waledac/ffns. ... om&field=3
if any of the affected ISP's look at it.

Detection of the payload, wcap.exe, isn't that bad at the moment, but some of the highest rated AV programs are missing it:

Antivirus Version Result
a-squared 4.5.0.46 Trojan.Win32.FakeAV!IK
AhnLab-V3 5.0.0.2 Dropper/Shdrv.230994
AntiVir 7.9.1.122 -
Antiy-AVL 2.0.3.7 -
Authentium 5.2.0.5 W32/Agent.IEP
Avast 4.8.1351.0 -
AVG 8.5.0.430 Generic2_c.GFS
BitDefender 7.2 Trojan.Generic.IS.104965
CAT-QuickHeal 10 -
ClamAV 0.94.1 -
Comodo 3451 ApplicUnwnt.Win32.Sniffer.Agent.~A
DrWeb 5.0.1.12222 -
eSafe 7.0.17.0 -
eTrust-Vet 35.1.7210 Win32/KillAV.GT
F-Prot 4.5.1.85 W32/Agent.IEP
F-Secure 9.0.15370.0 Trojan.Generic.IS.104965
Fortinet 4.0.14.0 W32/Agent.KTDM!tr
GData 19 Trojan.Generic.IS.104965
Ikarus T3.1.1.79.0 Trojan.Win32.FakeAV
Jiangmin 13.0.900 TrojanDownloader.Agent.acmj
K7AntiVirus 7.10.936 Trojan.Win32.Malware.3
Kaspersky 7.0.0.125 -
McAfee 5849 -
McAfee+Artemis 5849 -
McAfee-GW-Edition 6.8.5 -
Microsoft 1.5302 -
NOD32 4738 -
Norman 6.04.03 -
nProtect 2009.1.8.0 Trojan/W32.Agent.230994
Panda 10.0.2.2 W32/Netsky.FA.worm
PCTools 7.0.3.5 Trojan.Generic
Prevx 3 Medium Risk Malware
Rising 22.28.03.04 -
Sophos 4.49.0 -
Sunbelt 3.2.1858.2 Trojan.Win32.Generic!BT
TheHacker 6.5.0.3.125 -
TrendMicro 9.120.0.1004 -
VBA32 3.12.12.1 -
ViRobot 2009.12.31.2118 Dropper.Agent.230994
VirusBuster 5.0.21.0 -

Additional information
File size: 230994 bytes
MD5 : ab585c87652c933f82bbaddfd52ea15d

http://www.virustotal.com/analisis/0b79 ... 1262478475

[AlphaCentauri]

Of course, China Springboard probably has no problems registering Waledac domains for their old friends from Glavmed/Spamit:

Canadian Pharmacy: provecopy.com

provecopy.com
DomainName : provecopy.com

RSP: China Springboard Inc.
URL: http://www.namerich.cn

Name Server: NS4.SHOECOAST.COM
Name Server: NS3.SHOECOAST.COM
Name Server: NS2.GRAYUNIQUE.COM
Name Server: NS5.6OX.RU
Name Server: NS6.6OX.RU
Name Server: NS1.GRAYUNIQUE.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-09-29
Expiration Date: 2010-09-29
Last Update Date: 2009-12-22

Registrant ID: V-X-63712-21949
Registrant Name: WANG XINGJIA
Registrant Organization: WANGXINGJIA
Registrant Address: shanxilu37
Registrant City: JN
Registrant Province/State: ShanDong
Registrant Country Code: CN
Registrant Postal Code: 250018
Registrant Phone Number: +86.053181426310
Registrant Fax: +86.053181426310
Registrant Email: hjuahge@yeah.net

Administrative ID: V-X-63712-21949
Administrative Name: WANG XINGJIA
Administrative Organization: WANGXINGJIA
Administrative Address: shanxilu37
Administrative City: JN
Administrative Province/State: ShanDong
Administrative Country Code: CN
Administrative Postal Code: 250018
Administrative Phone Number: +86.053181426310
Administrative Fax: +86.053181426310
Administrative Email: hjuahge@yeah.net

Billing ID: V-X-63712-21949
Billing Name: WANG XINGJIA
Billing Organization: WANGXINGJIA
Billing Address: shanxilu37
Billing City: JN
Billing Province/State: ShanDong
Billing Country Code: CN
Billing Postal Code: 250018
Billing Phone Number: +86.053181426310
Billing Fax: +86.053181426310
Billing Email: hjuahge@yeah.net

Technical ID: V-X-63712-21949
Technical Name: WANG XINGJIA
Technical Organization: WANGXINGJIA
Technical Address: shanxilu37
Technical City: JN
Technical Province/State: ShanDong
Technical Country Code: CN
Technical Postal Code: 250018
Technical Phone Number: +86.053181426310
Technical Fax: +86.053181426310
Technical Email: hjuahge@yeah.net

Waledac: aweleon.com

DomainName : aweleon.com

RSP: China Springboard Inc.
URL: http://www.namerich.cn

Name Server: NS6.FAVOLU.COM
Name Server: NS3.FAVOLU.COM
Name Server: NS1.FAVOLU.COM
Name Server: NS2.FAVOLU.COM
Name Server: NS5.FAVOLU.COM
Name Server: NS4.FAVOLU.COM
Status: clientTransferProhibited
Status: clientDeleteProhibited
Creation Date: 2009-10-27
Expiration Date: 2010-10-27
Last Update Date: 2009-12-31

Registrant ID: V-X-63712-21949
Registrant Name: WANG XINGJIA
Registrant Organization: WANGXINGJIA
Registrant Address: shanxilu37
Registrant City: JN
Registrant Province/State: ShanDong
Registrant Country Code: CN
Registrant Postal Code: 250018
Registrant Phone Number: +86.053181426310
Registrant Fax: +86.053181426310
Registrant Email: hjuahge@yeah.net

Administrative ID: V-X-63712-21949
Administrative Name: WANG XINGJIA
Administrative Organization: WANGXINGJIA
Administrative Address: shanxilu37
Administrative City: JN
Administrative Province/State: ShanDong
Administrative Country Code: CN
Administrative Postal Code: 250018
Administrative Phone Number: +86.053181426310
Administrative Fax: +86.053181426310
Administrative Email: hjuahge@yeah.net

Billing ID: V-X-63712-21949
Billing Name: WANG XINGJIA
Billing Organization: WANGXINGJIA
Billing Address: shanxilu37
Billing City: JN
Billing Province/State: ShanDong
Billing Country Code: CN
Billing Postal Code: 250018
Billing Phone Number: +86.053181426310
Billing Fax: +86.053181426310
Billing Email: hjuahge@yeah.net

Technical ID: V-X-63712-21949
Technical Name: WANG XINGJIA
Technical Organization: WANGXINGJIA
Technical Address: shanxilu37
Technical City: JN
Technical Province/State: ShanDong
Technical Country Code: CN
Technical Postal Code: 250018
Technical Phone Number: +86.053181426310
Technical Fax: +86.053181426310
Technical Email: hjuahge@yeah.net

The registrant name, address and phone number would obviously be faked. But I'm betting the spammers use an email address where they can get replies in order to complete the registration process.