TrendLabs observed an increase in malicious medical advertisements spammed to users’ e-mail inboxes. Two of the samples our engineers obtained looked legitimate, even had professional-looking graphics (see Figures 1 and 2). Another was just the normal, everyday, plain-text spam (see Figure 3).

The spammed messages enticed recipients to purchase the medicines the scammers were selling. These lured recipients with supposed huge discounts, ranging from 70–80 percent off of all products. The messages also sported links that when clicked redirected users to a spoofed online store that sold male organ-enhancing pills.

More recently, a spam run that uses a new feature was discovered. Instead of asking recipients to click an embedded link or an image, it asked them to open the .JPG file attachment—an image of Viagra and Cialis—along with the line, “DO NOT CLICK, JUST ENTER (a particular URL) IN YOUR BROWSER.” The spammed messages also contained a series of salad words to avoid being filtered (see Figure 4).

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching users’ inboxes via the email reputation service. It also blocks access to malicious sites via the Web reputation service.

Non-Trend Micro product users may also benefit from using free tools like eMail ID, a browser plug-in that helps users identify legitimate email messages in their inboxes.

Additional text by Trend Micro anti-spam research engineer Gedrick Lacson

Trend Micro came across a new FAKEAV variant that does not only perform the usual fake alert routine but also downloads an additional component—a .DLL file that is inserted into the Layered Service Provider (LSP) chain.

By inserting itself into the LSP chain, the said .DLL file will be loaded whenever an application uses Windows Socket (Winsock). LSP technology is often exploited by malware. In this case, this FAKEAV’s purpose is to prevent Web browsers from accessing certain sites.

The .DLL file’s code lists popularly accessed websites such as facebook.com, youtube.com, and myspace.com, among others. When executed, it checks whether the application that loaded it was any of the following, after which it will start blocking sites:

• iexplore.exe
• firefox.exe
• svchost.exe

It replaces the HTML content of the accessed site with the one shown below.

It will only allow the users access if the registry key, HKEY_CURRENT_USER\Software\IS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system. Thus, this alert will continue to appear as long as the above FAKEAV variants have not been “installed” on the affected system.

With this new technique, this malware tends to cause more panic for users, as accessing any of the mentioned sites will display a fake alert, making them believe that the site they are trying to access is indeed restricted. They will then be more likely to install any antivirus product and thus more inclined to ”install” and pay for the rogue antivirus.

Trend Micro product users need not worry, however, as Smart Protection Network™ protects their systems from this threat by detecting and blocking the download of the malicious files onto their systems via the file reputation service. Non-Trend Micro product users can also stay protected via free tools like HouseCall, Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plug-ins, and other malware.