Sweeet!! I just won USD 500,000.00!!

But wait! Before I could claim my prize, first I must email 6 (six!!) personally identifiable information to my agent Mr. Chang Lazarus.

Nah.. I think I’ll pass. I would rather not give such information to someone I have never met before.

This looks like another variation of the notorious 419 scams we’ve come to hate over the years.

These Beijing lotto notification letters have been floating around since late last year, as earlier reported in this blog. With the Beijing Olympics only weeks away, expect to see more of these scams to crop up. Trend Micro Smart Protection Network shields users from this spam run. Other users should think twice before even responding to these messages.

Music is made to affect people’s lives, not their computers.

A malware that infects multimedia files, modifying them to require the download of a fake codec when played had recently been discovered.

It infects widely used multimedia file formats such as MP3, WMA and WMV video files by injecting a malicious code. The said malware is also capable of converting files such as MP2 and MP3 into Windows Media Audio (WMA) format. When a user tries to play an infected file, a popup message is displayed, asking the user to download a certain codec in order to play the file. The downloaded codec is of course, nothing else but a malware.

Should the user choose to play the same file again after the “codec” had been installed, the popup will not appear anymore, which may drive the user into thinking that a codec was really installed on the system. But this is just the beginning, if the multimedia files are shared through a peer-to-peer network, anyone who downloads music or video file from an affected system will be at risk of getting infected as well.

Malware has posed as multimedia files and codecs to entice users into downloading malicious files. Here are reports on some of such instances in the past:

• Breaking News! Iran Invaded! Well…Maybe
• More Pop Culture Spam
• Malware Unleashes the Malware Beast
• ‘Roswell’ Victims Spill Beans on the Beijing Olympics
• Spammers Celebrate Classmates Day
• When Spam Promises the Stars

But this malware takes it to a new, and more dangerous level; it manipulates a person’s multimedia files and uses it against them. People normally keep thousands of multimedia files on their systems, especially MP3s. If each file is infected by the malware then shared through a P2P network, then the user unknowingly turns into a malware host.

Trend Micro threat engineers detect this malware as TROJ_MEDPINCH.A, and the embedded/encrypted executable file in it as TSPY_LDPINCH.ASG. The Trend Micro Smart Protection Network assesses the reputation of downloaded files, preventing users from ever having to deal with the hassles of restoring their MP3 collections back to their clean states.

Below is a screenshot of the spammed email message in the spam run we’ve been monitoring since last week (still pointing to the bogus PornTube page). Only this time, the landing page of the email link is not R.HTML, but rather MAIN.HTML.

Figure 1. Sample spam with the main.html link.

The following are some of the subject lines used:

• US government war brothels

• Barack Obama graft trial begins

• Obama outrageous lies exposed

• Iran announces completion of nuclear weapon

On the other hand, the email message bodies used included the following:

• Have a break, have a Kit Kat - free online chocolate bar giveaways

• Pump prices in the US jump 40% on announcement

• American kids found to have the highest level of cholesterol in latest health survey

• Millions outraged over Medicare benefit cuts across the board for all Americans

As of this writing, there are 44 MAIN.HTML URLs seen. As usual, the M.HTML landing page is peppered with links to a VIDEO.EXE file, which Trend Micro now detects as TROJ_AGENT.AKCF.

Here is a screenshot of the fake PornTube site:

Figure 2. Screenshot of the fake PornTube site.

Another infection vector that we have seen is through a legitimate Web site’s homepage. We have seen and are monitoring several homepages that have been inserted with the following meta tag:

The script file PERL.PHP will download an MSVideoCodec.exe binary. Trend Micro is currently processing a detection for the said executable file. The said .PHP file, meanwhile, apparently has IP logging, since going to the compromised page a second time will only redirect you to Google. This incident has all the trappings of a toolkit being uploaded to compromised sites. The question that remains is how have these sites been compromised in the first place?

Rumors about the Internet as we know it dying by 2012 have been circulating for some time now, so it’s not really that surprising when the TrendLabs Content Security team was alerted that a Trojan is taking advantage of this conspiracy theory in order to trick users into running it.

Then again, spammed email with sensational headlines do make even the most cautious computer users take a peek (the latest NUWAR/Storm run being a prime example). What more when the said headlines tell them that the Internet, which has been practically their extra limbs since the last century, will suddenly be up for…TV-like subscriptions?

The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death, and based on the email subjects and details it arrives with (see sample messages below), it’s not easy NOT to double-click on it:

PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that…

Trend Micro already blocks this spam with its Smart Protection Network. Other users, as always, are advised to keep their systems and applications up to date with the latest security patches and to be wary when opening suspicious email, no matter how interesting they appear to be.

Striking email subjects get the job done. Well, given another spamming operation that uses popular personalities and events, that seems to be the case. Using a variety of subject-body combinations (a lot of which are totally unrelated to each other!), these spammed messages again appeal to the curious mind, offering a link in the email body that would seem to provide more details.

TrendLabs’ Advanced Threats Researcher Joey Costoya says these messages lead users to an R.HTML Web page that also poses as an imitation of adult video-sharing site PornTube. The said page hosts the file VIDEO.EXE. We’ve seen this type of attack before in another spam run that also used pop culture as bait.

In this screenshot we see the upcoming Beijing Olympics being used to trick fans and those curious enough about the event to click the URL:

Figure 1. Spam showing unrelated subject heading
and email body, possibly the result of using spam templates.

There are several of these VIDEO.EXE URLs, and some of the detections we have seen so far include:

The Trend Micro Smart Protection Network already blocks the spam messages using this trick, and likewise blocks all related malicious URLs, so Trend Micro users are protected from downloading the Trojans. Since the download locations can be updated anytime (today a user may download TROJ_ZLOB.GBA, but tomorrow it might be an entirely new malware), only a multi-layered protection allows users to rest easy.