Keeping the texts short and malicious, the spam our filters caught this time use catchy headlines so absurd they could actually pique their readers’ curiosity.
Below are screenshots of spammed email messages:
The address bars and Subject fields carry sensational headlines whose details supposedly are in the attached video. The said attachment is a compressed file, which when opened contains not a video but a malicious executable file named Exclusive.Cut.avi.exe. The file uses the double extension technique commonly used by malware authors to trick users into executing a malware. Trend Micro detects the malicious file as TROJ_FAKEALER.FR.
Some of the spammed messages here use prominent news organizations like CNN and BCC to look more credible, a technique popular with spammers as seen in several previous spam runs. CNN in particular looks to be a favorite. We blogged about at least three runs featuring fake CNN news last August (see our posts here, here, and here).
Also, another angle we see here is this run’s possible connection to the spate of rogue-AV-related spam runs the past few weeks. TROJ_FAKEALER.FR makes HTTP requests to URLs to download files (these files may, of course, change anytime). One of the files displays a fake bluescreen while the other is a TROJ_RENOS variant, a downloader known to download rogue AV components. Other spam runs that have been seen to download rogue AV include the Paris spam run, the “Free Windows Update” spam run, and bogus celebrity videos.
The Trend Micro Smart Protection Network already blocks the spammed message and protects users from the malicious attachment. Users are always advised to be cautious of unsolicited and unexpected email messages, as the attachments they carry may be harmful to systems.