MacHouse video tutorials for Mac search engine optimization Spam database Web Hosting providers Web Hosting review web hosting providers MacHouse Help

August 9, 2008

Beware of CNN Alerts E-Mail with ‘adobe_flash.exe’

Filed under: Internet security — Administrator @ 11:47 pm
Posted about 2 years and 0 months ago

anti spam






TOKYO (MacHouse) - More than 12 hours ago, an organized cyber criminal group circulated a spam e-mail message with the title of CNN Alerts: My Custom Alert. (See Screenshot 01.) Sender’s name is shown as CNN Alerts, but the e-mail address appears as Jochen-nerelekk@asbinfo.de. If you take a quick look at the message, it says






Plane carrying US Olympians under terrorist attack
Sat, 9 Aug 2008 08:27:01 -0700

FULL STORY






Another message with the same intention is






Bus killer beheads kid
Sat, 9 Aug 2008 18:57:11 -0700

FULL STORY (See Screenshot 02.)






The underlying URL for the first message is http://tkanie-uzory.ru/cnncurrent.html. For the second message, it’s http://apartbru.be/cnncurrent.html. Anyway, if you have received either e-mail message or something similar, don’t click on the link. Just trash it.





Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 01 - Source: MacHouse		   Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 02 - Source: MacHouse		   Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 03 - Source: tkanie-uzory.ru






The final destinations are what the underlying URLs say for both cases. The websites are hosted in Russia and France (not Belgium), respectively. For both cases, the web page title is Breaking News Videos from CNN.com. (See Screenshot 03.) If you access either URL, you will be prompted with an error dialogue that says Video ActiveX Ojbect Error. And you won’t get to close it unless you press the Okay button. If you indeed press it, you will be forced to download a file titled adobe_flash.exe. (See Screenshot 04.)





Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 04 - Source: tkanie-uzory.ru		   Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 05 - Source: MacHouse		   Breaking News Videos from CNN.com Mal/EncPk-DA
Screenshot 06 - Source: Sophos security analysis






So what is this file? It’s not what it implies is. We used Sophos Anti-Virus to analyze the file. Sophos Anti-Virus says the file contains Mal/EncPk-DA. (See Screenshot 05.) It’s a Trojan Horse derivative, which is believed to cause ‘malicious behavior,’ according to the Internet security expert. (See Screenshot 06.)






Click on the button to watch a documentation video. VTC
Click on the button to watch more documentation videos. VTC






References:

Sophos security analysis: Mal/EncPk-DA Malicious behavior





********** ********** ********** ********** ********** ********** ********** **********

MacHouse is not funded by tax payers' money. We have limited resources. We also need time to sleep and eat just as others. So we will not act as the International police to contact all victims of website abuse. All you have to do is to subscribe to spam messages and spam posts. If we can, why don't you?







Leave a Reply


You are prohibited from posting comments merely to advertise your website. Please read Rules and About This Blog at the top menu bar for more information.

Because of spam-comment criminals, we are forced to manually moderate every comment that you may post. Your comment will appear only after we review and then approve it. It will take us several hours at most to review it.

Please note that all one-sentence comments will be automatically rejected as an anti-spam measure.

Subscribe without commenting