Our honeypots captured spammed email messages, written in Portuguese, supposedly coming from the popular video sharing website YouTube.
Figure 1. Sample email message (forwarded).
The message body translates into the following:
Someone has published a video you appear in, and your name was mentioned in several videos this evening.
To report, Click Here!
Watch the video you appear in: (http://www.youtube.com/watch?v=Y6BS8926mVgI)
The text Para denunciar, Clique Aqui!, and the YouTube URL are actually HTML links, which interestingly point the user to a website hosted in Japan. This site then leads to the binary cartaoyoutube.exe, a banker-type Trojan designed to steal information from an infected user’s computer. The pieces of information stolen from affected systems are uploaded to a remote server.
Trend Micro detects the malware as TROJ_BANLOAD.JC. It further downloads from remote websites several other malicious files commonly related to information stealing activities.
While the social engineering techniques differ – software updates, celebrity videos, sensational news – YouTube‘s popularity among Internet users remains a popular tool for malware writers and spammers too in trying to influence people towards malware. The name has been used many different times in the past:
Trend Micro Smart Protection Network already blocks the spammed message and detects all the malware involved in this threat. Users are strongly advised to beware of unsolicited email messages even though they may appear to come from legitimate sources. Clicking links found in these messages almost always leads to malware or to malicious web pages.