Security Labs


  digg   |   |     reddit
  newsvine   |     furl   |     technorati

Air France Plane Crash Spam


Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash. The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site.

The link to the video leads to a Trojan Downloader file named: If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}.

The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low.

Screenshot of an example spam message:

Screenshot of the malicious registered DLL:


Websense® Messaging and Websense Web Security customers are protected against this attack.