Cybercriminals pose as tattletales about to reveal something scandalous in a malicious spam run we’ve encountered recently.

Cybercriminals crafted the spam messages to look similar to an email from YouTube. It arrives with a link which is supposedly a video posted on the said video-sharing website.

The message is written in Portuguese and roughly translates to the following:

A friend sent a video to YouTube, the following message:
Open your eyes!
Much admire the way that treats all situations!
Well, I to the chase.
I said I would find a way to prove what I have been told to you many days.
Look at this video!
The two were thinking they had nothing recording were mistaken there is the video of the two transactions recorded in the cell.
You’ll thank me later because I have done it hugs.

Clicking the link triggers the download of Video.com, which is actually a worm detected by Trend Micro as WORM_RUNOUCE.G. When installed on a system, WORM_RUNOUCE.G uses its own SMTP engine to send out email messages to the affected user’s address book. The said email comes in the following format:

FROM: [email address]
TO: {recipients name}
SUBJECT: {random name} is comming!
Attachment: PP.exe

The attachment PP.exe is a copy of WORM_RUNONCE.G. This places the affected user’s contacts at risk of getting affected by the same malware.

The intriguing nature of the message might just be enough to trigger curiosity in recipients’ minds to get them to open the email, which contains a different kind of malicious material. Both the spam email and malicious file are blocked and detected respectively by the Smart Protection Network.