…never believe it, for recipients of such email messages are bound to find out that, indeed, some promises are meant to be broken.
Trend Micro Advanced Threats Researcher Joey Costoya discovered the latest spam to hit the wild this week, with a technique that is hardly out of the ordinary—since such a come-hither tactic had been seen many times before—and an infection sequence that can make heads spin.
The said spam entices recipients using famous female celebrities to download a purported media file, such as an MP3 or image file, by clicking on a link in the message body (see Figure 1).
Figure 1: Screenshot of Sample Spam Email
Once spam recipients click on Download now, they are directed to the site hxxp://{BLOCKED}lic.fr/index.php, which in turn redirects to a landing page in hxxp://{BLOCKED}lic.fr/index8.html. This page then displays a small dialog box with standard option buttons (see Figure 2), and clicking on any of them (or anywhere inside the dialog box for that matter) leads users to hxxp://{BLOCKED}lic.fr/video.exe, from where an executable file bearing the name VIDEO.EXE is downloaded. This file name suggests that the spam authors further trick users into thinking that the download is a legitimate media file.
Figure 2: Screenshot of the landing page, index8.html which contains a white screen with a small square image on the top left corner, along with the dialog box
Trend Micro now detects this file as TROJ_ZLOB.FZI.
Costoya adds that the said landing page contains a (1) META tag that directs recipients to also download the executable file; and an (2) IFRAME tag that points to the site http://{BLOCKED}lic.fr/pindex.php, wherein the PHP page contains a JavaScript (JS) that attempts to lead users to download yet another executable file—this time from http://{BLOCKED}lic.fr/load.php. The download fails, however, due to an error in this PHP page’s code.
Below is a list of other possible message bodies used by this spam:
- Cameron Diaz Full dvd!!!
- Demi Moore Gallery sexy songs!!!
- Jennifer Aniston Gallery photo!!!
- Jennifer Lopez Interesting photo!!!
- Kate Moss Stunning photo!!!
- Meg Ryan Stunning porno dvd!!!
- Monica Bellucci Interesting video with a naked celebrity!!!
- Penelope Cruz Full video with a naked celebrity!!!
- Rihanna Kick-up mp3!!!
- Veronika Zemanova Shocking mpeg4!!!
Costoya noted that all the pages only load in Internet Explorer (IE).
Trend Micro users are advised to keep their pattern files updated and to regularly scan their systems. Avoid clicking on links from emails coming from questionable sources, even from a viable source unless verified by the sender themselves. It also never hurts to keep applications patched to keep systems away from vulnerability exploits.
