Alerts
Air France Plane Crash Spam
Date:06.11.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ ThreatSeeker™ Network has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash. The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site.
The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID: {9387b8b2-5508-11de-8729-c56f55d89593}.
The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low.
Screenshot of an example spam message:
Screenshot of the malicious registered DLL:
Websense® Messaging and Websense Web Security customers are protected against this attack.