Class reunion invitations (supposedly from classmates.com) are being seen in  spam recently — recipients of these messages are asked to click on a link found in the message to get the details of the “reunion” and also see a related video.

Looking at the IP origins of sample spam messages, it appears that these have been sent out by spam bots using dynamic IPs from different dialup and broadband ISPs.

Figure 1. Sample spammed message.

Clicking on the link would actually direct users to a malicious webpage. In this page, a message prompts users to update their Adobe player to be able to view the reunion video, thus tricking them into executing a malicious file.

Trend Micro detects the file as TROJ_AGENT.ADB.

Figure 2. Malicious website.

The Trojan connects to a remote URL to download TSPY_AGENT.AHCN. This spyware gathers information, MS IE FTP Passwords, and WinInetCacheCredentials, which are Protected Storage items. It uses HTTP post to send the information it has gathered to certain URLs.

This information-stealing routine risks the exposure of victim’s sensitive information, which may then be used by cybercriminals for malicious purposes. TSPY_AGENT.AHCN also has rootkit capabilities that enable it to hide its files and processes from a user.

The Trend Micro Smart Protection Network already blocks these spammed messages and detects the Trojan and the spyware, keeping users PCs safe from infection. Non-Trend Micro users are always cautioned against trusting unsolicited email messages. Clicking links and downloading files from unknown locations almost always lead to malware.