Since last week we have been noticing a significant increase in certain spam messages, which have several features in common.
The subject of all of them is “Sensation.New Video - make haste to look!!!”, and as a social engineering technique they include a video that makes reference to different news; the latest one we have seem is related to the trailer of a film premiere.
All of them enclose a link which starts with a google url in order to go unnoticed.
Server: http://pousadarecantonatureza.com.br/
IP: 67.15.48.41
City / Country: Houston (Texas) [United States]
Server: http://www.neufeld-media.de/
IP: 81.169.145.72
City / Country: Berlin [Germany]
http://www.google.com/pagead/iclk?sa=l&ai=fXfafaD&num=67154&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?lddhUCE
http://www.google.com/pagead/iclk?sa=l&ai=sqxtEvL&num=93594&adurl=http://www.neufeld-media.de/<removed>/news/rdown.php?xssqxtE
http://www.google.com/pagead/iclk?sa=l&ai=DtxxsAu&num=85078&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?mVLuOuc
From these URLs a file called "news_m.exe" is downloaded, which is detected as Trj/Downloader.SQV. This downloader will download another file called "vshost.exe" detected as Trj/Spammer.AGF, whose objective is to send more spam messages like these ones.
Besides, another file called "Loca.exe" will be downloaded. This file belongs to Trj/KillFiles.BU, which will delete some *.sys files from the system32/drivers directory, causing a certain instability in the system.
Other contents used in these spam mesages are:
Pamela Anderson divorces in third times!!!
CIA tortures prisoners!!!
Harry Potter was purchased by pentkhaus!!!
Two powerful earthquakes happened in the USA!!!
Michael Jakson glued up a person plaster!!!
Madonna reinvents herself as film director!!!
The extramarital son of John Kennedy appeared in Canada!!!
Posted under Malware Alerts
This post was written by Ted on February 25, 2008
