Although it has already been a few days since this came out in the news, it still isn’t surprising that a malware would use this bit of news to it’s advantage.

TrendLabs just received reports of malware related e-mails that uses the former dictator’s execution as a social engineering trick. The e-mail body of the said attack can be seen below (note: the images below are edited since some readers may find the content offensive).

The language used in the e-mail body is Portugese, and as such, infection may be targetted to affected countries only.

The image above is the e-mail body with the text converted roughly (thanks to Babelfish) to English. Note that when the user clicks on “Clique agui” (Click here), it will trigger the download of the file video_sadan.exe from the domain mauirealestate247.com. The executable file is responsible for the download of another malware file sys.exe, also hosted on mauirealestate247.com.

What’s interesting with this malware is it accesses the URL www.youtube.com/results?search_query=Enforcado. This effectively opens a YouTube search page using the keyword “Enforcado” which translates to a “hanged person” in Portugese. The search result returns several execution videos of the late dictator.

Lastly, to completely fool the user into thinking no malicious action was made by just clicking on “Clique agui”, the message box below is shown by the malware, saying “the archive shockwave32.dll was not found. the application is finished”.

Update(Jhoevine Capicio, Tue, 09 Jan 2007 01:32:13 AM)

sys.exe is now detected as TSPY_BANKER.FWW and video_sadan.exe is now detected as TROJ_BANLOAD.BLK