A new spam run captured by our honeypot features a "nude movie" of Angelina Jolie. If the "nude movie" bit is not enough to entice you, maybe the scorching hot picture attached to the email will.

The spammed email message contains a supposed “direct link” to Angie’s nude movie. Of course, the "Watch" link will lead you to an EXE file. The EXE file link will not be that obvious though, because the URL is actually pointing to a Doubleclick redirector, like this one.

http://ad.{BLOCKED}click.net/click%3Bh=mqZjUUTkbIdoYRmqZjUUTkbIdoYRmqZjUUTk%3B%7Esscs=%253f

Below is a listing of the executable URLs.

http://{BLOCKED}gfruits.com/msvideoc.exe
http://{BLOCKED}omomouras.com/msvideoc.exe
http://{BLOCKED}ro.valuehost.ru/msvideoc.exe
http://{BLOCKED}c.com/msvideoc.exe
http://{BLOCKED}maggi.altervista.org/msvideoc.exe
http://{BLOCKED}b.info/msvideoc.exe
http://{BLOCKED}kennel.gr/msvideoc.exe
http://{BLOCKED}rn.altervista.org/msvideoc.exe
http://{BLOCKED}oserna.com/msvideoc.exe
http://www.{BLOCKED}i.ro/msvideoc.exe
http://www.{BLOCKED}ola.lv/msvideoc.exe
http://www.{BLOCKED}otel.eu/msvideoc.exe
http://www.{BLOCKED}ina.com/msvideoc.exe
http://www.{BLOCKED}ality.info/msvideoc.exe

The executable pointed to by the advertised URLs is now detected by Trend Micro as TROJ_DLOAD.DI. DLOAD variants typically access URLs that download nasty spyware onto PCs. These spyware steal user names and passwords from the infected PC and sends these over to a remote location, where malware writers can retrieve the information. Tough luck for users who have been too enchanted by Angelina Jolie to exercise caution in dealing with their mail. Meanwhile Trend Micro users, enchanted or not, are already protected by the Smart Protection Network.