DP's Security Bits

Websense Security Labs™ ThreatSeeker™ Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports Michael Jackson's death was confirmed yesterday.

The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates - see VT results here. The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Alert Details