A day before Michael Jackson’s new song, “This Is It,” was slated to premier on michaeljackson.com on October 12, a spam run promoting a 45-second preview on YouTube already made the rounds.

The email below, purporting to be from CNN.com was spammed to users in an effort to trick them into clicking the link to watch the supposed preview.

Trend Micro threat experts analyzed the URL embedded in the email (http://www.{BLOCKED}hine.com/Support/index.html) and found it to be malicious. It redirected users to the following sites:

• http://{BLOCKED}aking-news.alerts.applest.com/audio/index.html
• http://{BLOCKED}aking-news.alerts.applest.com/audio/Michael_Jackson-The_brand_new_song.hta

The said sites have been injected with a malicious VBScript detected by Trend Micro as VBS_PSYME.DLV. It then led users to a remote site to download the file, http://www.{BLOCKED}c.com/best/AutoCfg.exe detected by Trend Micro as BKDR_RUNRUB.A.

BKDR_RUNRUB.A is a Ruby-compiled malware that waits for an active Internet connection to send information from the infected user’s machine such as the local computer name, local username, and IP address to a malicious client. Information such as this may be used by cybercriminals to further their profiteering schemes or sold to other malicious users.

We urge users not to open suspicious-looking emails nor click links that come from people you do not know. Cybercriminals will strive to make their malicious schemes seem legitimate, using the names of reputable news companies such as CNN in this case, as bait.

Trend Micro Smart Protection Network™ protects both Windows and Mac users from this threat by blocking access to malicious URLs and preventing the download of malicious files.