|
|
The Websense Security Labs ThreatSeeker Network has found out that there are spam emails which offer the recipients the links to some unpublished videos as well as pictures of pop singer Michael Jackson, which are being sent after the death of the singing sensation yesterday.
This spam email appears to be offering a link to a certain YouTube video, but actually this email sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file which is received by the persons is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is present on a legitimate Website in Australia that belongs to a radio broadcasting station. Once you execute the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm opens in the default browser so that the user gets distracted by the news article presented to them to read.
At the same time, three information-stealing components are downloaded in the background and the malware installs them on your PC. One of the downloaded files is called michael.gif, which has low AV detection rates. The malware then installs a malicious BHO that is registered with this file “%windir%Dynamic.dll” and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}.
Another component starts at “%windir%system32kproces.exe”. Another file installed which gets installed is the “%windir%system32fotos.exe”.
