CNN Daily Top 10 leads users to site hosting malware

August 4, 2008 117 Comments

Following the links in the CNN.com Daily Top 10 email could lead you to sites that hosts malware. MX Lab detected and intercepted the first messages at around 7:48 PM local Belgian time and is monitoring an outbreak of this type.

Malware authors are abusing CNN by using the logo, the lay out and the concept of the CNN Daily Top 10 to distribute emails with URLs that point to sites that host malware.

The messages itself is sent from a random generated user email address not on the cnn.com domain. The links behind the top 10 directs you to a web site that should show you the video but instead gives you an error that an incorrect Flash player is installed.

A pop up window will ask you to download the correct video codec, an executable called get_flash_update.exe, but this is in fact the Trojan-Downloader.Agent.EL. This trojan ca an download and installs other malware onto infected machine.

This trojan will in fact create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.

Virus Total permalink and MD5: dabb5a9b431c88c77281bcf1158a9879.

Remark: CNN is not responsible for the CNN Daily Top 10 that contained URLs to sites that host malware in the form of a downloadable Flash codec.

Filed under Viruses Tagged with , , , , , , , , , ,

ZBot in “PayPal Rechnung”

August 4, 2008 Leave a Comment

A new ZBot variant appears in PayPal “Rechnung” emails. The attached files contains the ZBot malware variant, at this moment, only detected by 3 anti virus angines out of the 36 on Virus Total 7 PM local Belgian time. This type of distribution was also detected late June by MX Lab.

The content of the malware emails

Sehr geehrte Kunden,

Ihr Auftrag Nr. SP4323451 wurde erfullt.
Ein Betrag von 6789.46 EURO wurde abgebucht und wird in Ihrem Bankauszug als “Paypalabbuchung ” angezeigt.

Sie finden die Details zu der Rechnung im Anhang

PayPal (Europe) 
S.031; r.l. & Cie, S.C.A.
46-31 Boulevard Royal
L-1472 Luxembourg

Hochachtungsvoll,
Vertretungsberechtigter: Christopher Darden
Handelsregisternummer: R.C.S.  B 734 037

Trojan-Spy.Zbot is a rootkit trojan which steals online banking information and downloads other malware as well. It opens backdoors on infected computer to allow malicious attacker unauthorized access.

The malware seems to have it’s origin in Russia and also connects to a Russian web site at http://*******.ru/millioner/millionertest.bin. It also creates some files on the system like ntos.exe and it modifies te registry.

Virus Total permalink and the MD5 hash is 606ab42e4c906f933bc9c5ab62b798d9.

Filed under Viruses Tagged with , , , , , , ,

Follow

Get every new post delivered to your Inbox.

Join 109 other followers