Early this month, news of the disappearance of 4-year old Madeleine McCann struck the interest of the public all over the world, as various efforts from different communities are put into action to help find the missing child.
One of these is the setting up of the Official Web site, which has been launched to help the search campaign. A fund-raising effort, called “Madeleine’s Fund: Leaving No Stone Unturned” was also started to help finance Madeiline’s search, as well as to aid in the search for other abducted children.

As usual, scammers are not leaving any stone unturned as well when it comes to exploiting for profit. Banking on the public’s curiosity and emotions, these scammers are using this tragic event to lure victims into giving out their credit card and bank account numbers.
These malicious users have created a series of fake Web sites that pose as the official bringmadeleinehome.com site, asking for donations from unsuspecting donors.

Recently, Belgian IT security professional, Didier Stevens, discovered that clicking one of the links in the News items of bringmadeleinehome.com site led to the downloading of a malicious JavaScript, which is already included in the generic Trend Micro detection JS_EXCEPTION.GEN. He noted, however, that “the Trojan was not hosted on or linked to from the findmadeleine.com site.”

Over the weekend, we intercepted one particularly typical sample via our honeypots. The file we received was a Rich Text Format (RTF) document. Nothing new you might think and upon initial inspection nothing seemed out of the ordinary. However, further analysis of the file revealed that it actually contained a malicious executable file embedded within the document itslef.

Trend Micro already detects this as TROJ_ARTIEF.A

Upon execution of the said file, it drops an HTML component in the Windows TEMP folder. The HTML file is then injected into the process IEXPLORE.EXE so that it is opened in a hidden Internet Explorer window each time the user runs IE.

It also downloads a file from:

http://66.116.{BLOCKED}.202/cp/scripts/scripts/updater.exe

and saves it to your Windows TEMP folder using the filename UPDATE.EXE. As is uses the Adobe PDF icon, it tricks the user into thinking it is a non-malicious file. It even displays the following error message as part of its ploy.

Below is a screenshot of the email containing the said attachment: