TOKYO (MacHouse) – More than 12 hours ago, an organized cyber criminal group circulated a spam e-mail message with the title of CNN Alerts: My Custom Alert. (See Screenshot 01.) Sender’s name is shown as CNN Alerts, but the e-mail address appears as Jochen-nerelekk@asbinfo.de. If you take a quick look at the message, it says
Plane carrying US Olympians under terrorist attack
Sat, 9 Aug 2008 08:27:01 -0700
FULL STORY
Another message with the same intention is
Bus killer beheads kid
Sat, 9 Aug 2008 18:57:11 -0700
FULL STORY (See Screenshot 02.)
The underlying URL for the first message is http://tkanie-uzory.ru/cnncurrent.html. For the second message, it’s http://apartbru.be/cnncurrent.html. Anyway, if you have received either e-mail message or something similar, don’t click on the link. Just trash it.
 Screenshot 01 – Source: MacHouse |
 Screenshot 02 – Source: MacHouse |
 Screenshot 03 – Source: tkanie-uzory.ru |
The final destinations are what the underlying URLs say for both cases. The websites are hosted in Russia and France (not Belgium), respectively. For both cases, the web page title is Breaking News Videos from CNN.com. (See Screenshot 03.) If you access either URL, you will be prompted with an error dialogue that says Video ActiveX Ojbect Error. And you won’t get to close it unless you press the Okay button. If you indeed press it, you will be forced to download a file titled adobe_flash.exe. (See Screenshot 04.)
 Screenshot 04 – Source: tkanie-uzory.ru |
 Screenshot 05 – Source: MacHouse |
 Screenshot 06 – Source: Sophos security analysis |
So what is this file? It’s not what it implies is. We used Sophos Anti-Virus to analyze the file. Sophos Anti-Virus says the file contains Mal/EncPk-DA. (See Screenshot 05.) It’s a Trojan Horse derivative, which is believed to cause ‘malicious behavior,’ according to the Internet security expert. (See Screenshot 06.)
Click on the button to watch a documentation video. 
Click on the button to watch more documentation videos.
References:
