Security Labs

Alerts

BOOKMARK THIS ALERT
  digg   |     del.icio.us   |     reddit
  newsvine   |     furl   |     technorati

Santa Catarina Flood Malicious Spam

Date:12.03.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered a spam lure that attempts to capitalize on the recently reported natural disasters in the state of Santa Catarina, in the south of Brazil.

This campaign uses email messages that look like a news alert about the current disaster in Santa Catarina. To appear genuine, the lure includes a legitimate telephone number for donations. The messages also contain a link that appears to provide a video of the recent disasters. This link actually leads to a malicious executable, a Trojan downloader named "Video_SC_Desastre.exe" (SHA1: 6862b862877e5cb9f2180cc53ee4338977bc0efb).

Example of malicious email: 

 

When "Video_SC_Desastre.exe" is run, it connects to various sites. The executable first connects to a site, www.*SNIP*so.com, that informs the BOT controller about the infection. The executable then connects to a hosting provider account at *SNIP*.bizhostnet.com. Password stealing Trojans are downloaded from that site to the compromised machine and registered as BHOs. These files are hosted in the form of JPG images, but actually are malicious executables.

Trojan's network activity snapshot: 

 

Among other malicious activities of the downloaded Trojans, one Trojan, msnmgr.exe, launches a password stealing application spoofing MSN Live Messenger.

MSN Live Messenger spoof: 

 

Websense Messaging and Websense Web Security customers are protected against these threats.