OK, nothing new there. We have seen this happening a lot recently.

Email screenshot:

Web screenshot:

What is new is what we saw a couple hours later. We received emails that were exactly same as the previous emails, with one small difference: the message now contains a link at the top. The link pointed to a compromised web server that was hosting malicious code. Assuming one clicked on the link, a downloader from a kit called "RootLauncher" would download another malicious file from another website. The same group that sells the popular "WebAttacker" toolkit also sells the RootLauncher kit on the web.

Here comes the interesting part is!

The malicious code that gets downloaded and run does nothing except reboot your machine over and over. In fact it makes you machine inoperable. Users have to boot into safe mode or off a disk and clean the machine in order to make it work again.

So, the question is WHY? What could possibly be the motive behind disabling the victim's computer?

Here are some speculative guesses:

• someone wants to prevent users from selling the stock who have purchased it already
• a fellow Bot herder has taken over control of the Botnet and modified the email that it sends by adding the link. Perhaps they are not so friendly with each other and want to prevent the stock scam from working
• someone has taken over the Bot's that send the spam and is playing a BAD joke

RootLauncher Toolkit Administration Panel Screenshot:

The RootLauncher kit detects the user agent string and needs specific parameters to download the code. If a browser without a matching user-agent visits the website, they are given an error message instead of the malicious file: