Following the links in the CNN.com Daily Top 10 email could lead you to sites that hosts malware. MX Lab detected and intercepted the first messages at around 7:48 PM local Belgian time and is monitoring an outbreak of this type.
Malware authors are abusing CNN by using the logo, the lay out and the concept of the CNN Daily Top 10 to distribute emails with URLs that point to sites that host malware.
The messages itself is sent from a random generated user email address not on the cnn.com domain. The links behind the top 10 directs you to a web site that should show you the video but instead gives you an error that an incorrect Flash player is installed.
A pop up window will ask you to download the correct video codec, an executable called get_flash_update.exe, but this is in fact the Trojan-Downloader.Agent.EL. This trojan ca an download and installs other malware onto infected machine.
This trojan will in fact create a new process on an infected machine: %System%\cbevtsvc.exe and creates a new service CbEvtSvc in the system. Quite some registry modifications are being made as well as a direct IP address connection to a remote host on TCP/IP port 443.
Virus Total permalink and MD5: dabb5a9b431c88c77281bcf1158a9879.
Remark: CNN is not responsible for the CNN Daily Top 10 that contained URLs to sites that host malware in the form of a downloadable Flash codec.
117 Comments
Sorry, the comment form is closed at this time.
Thank you for responding so fast. I typed Daily top 10 cnn into google and found this page. I was suspicious as although I regularly visit CNN, I do not receive the daily top 10.
The malicious page and file are hosted on different sites. Normal sites which have been hacked.
Thanks for the info – I too was suspicious – good to have it confirmed.
I wonder how many will fall for it – I very nearly did, because CNN is usually a safe bet.
Hopefully someone has informed CNN?
[...] MX Lab-Blog // [...]
I was complacent and clicked the pop-up while browsing.
One of my computers if infected now
Everytime I comnnect to the net with that computer I get a bunch of pop ups for Symantec Antivirus saying it is blocking a malicious email titled “cnn.com daily top 10″
Here is more info on the thing http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945
If anyone knows how to remove it let me know.
[...] http://blog.mxlab.be/2008/08/04/cnn-daily-top-10-leads-users-to-site-hosting-malware/ Tags: cnn, cnn daily top 10, cnn top 10, cnn trojan, cnn virus, flash trojan, flash virus, malware, spyware, virus [...]
To remove it if infected, download Combofix.exe from here: http://www.forospyware.com/sUBs/ComboFix.exe. It does an excellent job of removing it.
Wonder if CNN is going to do a story on itself. Like how these links actually came about.
[...] news junkies: The Belgian MX virus and spam blog is reporting that today’s CNN Top 10 e-mail links are sending unwitting users to sites [...]
This is great information. As John says, let’s see what kind of story CNN does.
[...] If you are one of the millions getting this virus email this morning, do not click on any of the links. For more details, and kudos for beating me to the punch this morning – http://blog.mxlab.be/2008/08/04/cnn-daily-top-10-leads-users-to-site-hosting-malware/ [...]
wow! my boss received this in his email and we were definitely surprised that he got the ‘daily 10′ and I even asked him if he subscribed to cnn. He said ‘No.’
weird.
thanks for this
now I will tell him this information.
Austin ,
I will try that removal tool when I get home from work. The site is blocked here by our web filter
I have received it 12 times since yesterday early evening. Does anyone know of a way to block junk email by subject line in Outlook?
Thanks.
Was going to do a write up about it tonight, have a client that can’t get rid of it. This is their third day of cleaning it up themselves.
Since 2 days I have received 10 to 12 such emails.
Thank you to all of you for investigation and / or comments
JJ Guiounet
Issy Les Moulineaux France
I received the same email in a couple of my email accounts too. Thanks for the insight. Of course, I know better than to click through the emails.
What happens if you click the ‘unsubscribe’ option?
My other half did this and is now panicking.
We’re using a Ubuntu Linux if that helps.
The Daily top 10 is in fact a genuine service from CNN offering the top 10 stories and videos by email. The malafide emails in questions just contains links to web sites that host malware.
The other links and the appearance of the email is just taken from CNN without changing anything. The unsubscribe link brings you to the web site of CNN. The links or the ‘manage your settings’ , ‘terms’, ‘privacy guides’ and ‘contact us’ seems to be safe links.
Thanks for that, I still felt the need to download and install a virus checker. First time ever on Linux. Should calm my better half down.
[...] You can read more about this by clicking here [...]
So.. nobody has really said what is the definitive way to FIX it if it gets you.
Thanks for heads up!
I was wondering I have had no viruses but, I keep getting this pop up thing that says they have detected a virus is this the same maleware that you are speaking of.
The removal tool is running now. The disclaimer that 1/100 computers do not survive the process was discouraging…..we will see how it turns out.
I was getting several of these and made the BIG mistake. How do I get rid of this now? I tried the link from the other poster, but it did not work. Any ideas?
Hey Andrew and everyone that is affected by this for that matter. I have spent hours finding a good fix for this and the solution I found was “AntiVir” free anti-virus. It detected all the infected files and got rid of them. I tried both “ComboFix” and ‘SDfix” with no luck. I also tried Avast and Bit Defender, but then I found this list:
http://www.virustotal.com/analisis/258fbdfb7eb6ecfedbf236533b03c945
I would assume most of the scanners that detect it should be able to remove it, but I can confirm AntiVir does.
For some reason TrendMicro blocked http://www.forospyware.com/sUBs/ComboFix.exe from running.
I could download and save ComboFix.exe to the desktop but when launching was blocked by TrendMicro Real-time scan. I could not find reference on TrendMicro to this specific virus. While opening the email does not infect the computer the links certainly do. Also is some debate on whether the virus is sending the email addresses out of the GAL to the hack/spam servers or if they are dictionary name attacking the domains. Would really like to see the details of the infection and whether the email should be classified as malware/spam OR virus. My vote is virus.
I keep clicking on the button but the flash upgrade just won’t install on my Linux PC… Ah windoze, gotta love it.
I Did get the “top 10″ email luckily gmail sent it to spam.
What a shame. Well, but you should still grateful it’s just sent to spam folder, and not get deleted. I use NAV, and it often deleted my important files that NAV’s think it’s a virus/malware/spyware.
AntiVir worked. Thanks for the post. I’m back up and running again.
combofix.exe did it. One of the computers on our network got affected by the trojan and hijacked display properties took out restore points and caused lot of other issues.Combofix did clean it up.A word of caution since this tool modifies the system registry, you have to be careful about the resident data.
2 chevaux de Troie aussi
I ran a combo of spyware doctor and nod32 and it got rid of all of this the only thing now is i need to block it on the mail server side any idea how i can do this in exchange?
Caution Combofix only removes the virus shell interface. The virus is still active underneath setting up an email server on port 25 and trying to rereplicate itself.
So far to be safe at our company we have been erasing computers and reimaging them to be on the safe side. This is a nasty one.
I havent tried AntiVir as mentioned above yet, but thought I should let you know your not out of the water yet if you run Combofix as mentioned above.
Just my luck.
Note to self – never check email before drinking morning coffee.
Downloading AntiVir now…
I left feedback on the CNN.com website about this, and their tech support at least has disclaimed responsibility:
Greetings,
Thank you for alerting us to the spam you have received that purports to be from CNN. As you may know, spammers often disguise or forge the source of their e-mail to give the impression that it derived from the CNN system. In fact, this message is fraudulent and did not originate from CNN. We suggest that you delete it, and any other e-mails you suspect to be illegitimate, from your mailbox.
Sincerely,
CNN Technical Operations
vcm@cnn.com
The malware program is the antivirus 2008 parasite which has been failrly common for at least the past 3-4 months. A few programs seem to have the ability to remove it in part but as a whole not yet discovered which can remove it wholly. It can also currupt and damage certain aspects of web browsers or afiliated programs preventing the access of certain sites (hotmail, g-mail, yahoo, etc). It uses aspects of tojan viruses, malicious software and phising sites to get people to install and after it will try and convince you to purchase it’s anti-viurs.
Best recomendation is a back-up and a full system recovery for now.
Uggh…I got caught with this one. First time ever! I just subscribed to the CNN email and thought it was the real thing. Norton caught part of it, but not all.
Question: It seems to have gotten rid of all my restore points. How do I restore my system back to a point before today?????
Thanks!
Hmmm, I downloaded the flashplayer file but realized what happened before I ran it. I deleted the downloaded file without ever running it. Do you think I’m safe? I haven’t noticed any side effects.
You can also download SPYbot to remove the trojan.
I have used it on several computers and it works great in finding and removing.
Spybot is also a free download, Microsoft recommened.
The virus, from what i have seen, is self extracting. If you downloaded the file you should proably look look at: start – run – msconfig. on the screen that pops up go to services. If you see : CbEvtSvc, then you are infected.
Craig,
You should beable to restore your system in safe mode (F-8 at boot up of your system) and do s system restore while logged in as the local admin. If your restore points are still unavailable, then it may not have been turned on in the first place.
[...] a CNN Daily Top 10 newsletter (my brother was an unfortunate victim). A description was posted at http://blog.mxlab.be/2008/08/04/cnn-daily-top-10-leads-users-to-site-hosting-malware/. Postings on that site say that the AntiVir free antivirus and ComboFix will remove it. [...]
Heard about this from work, got the mail at home. Nice thing, having no Windows computers at home. I took a look at the code from the post, and at the site. Never a worry.
[...] mis vagancias por WordPress encuentro: cuidado con un email llamado “ CNN.com Daily Top 10”. Los lleva a una pagina donde les menciona su Flash player tiene que ser actualizado y ese es el [...]
Yeah I’ve been getting loads of those emails supposedly from CNN. It’s a sneaky way of getting people who wouldn’t usually click on dodgy link to download malware. Thanks for putting the alert out.
Thanks for the info. “mxlab”…I also foolishly clicked on “unsubscribe”, but then noticed that URL is actually a real CNN URL? “http://cgi.cnn.com”. It was a couple of days ago, but I don’t remember seeing any video player codec install messages. You think “Kaspersky” will pick it up if do have it? Thanks!
[...] This thing is NASTY. The emails as well as the webpages look completely authentic, good design layout and no broken images or bad english. These are definitely the work of some very talented hackers. The good news (if any) is that these have just been introduced into the wild within the past few days. CNN as well as the major antivirus companies have been notified and are in the process of working on fixes. You can read more about the original story breaking here. [...]
horrible attaching system. I am afraid
Comment by Red on August 5, 2008 8:39 pm
What happens if you click the ‘unsubscribe’ option?
My other half did this and is now panicking.
That’s the funny part! I clicked on that option after I realized this was spam and that the email was not sent by cnn.com but by some bogus email address. Believe it or not, when I clicked on “unsubscribe” to see what would happen, it took me to the authentic CNN website and unsubscribed me, although I never subscribed to it in the first place. A dead giveaway that the Flash Player was malware was that it was labeled with a bogus website and not with Adobe.
When the installer automatically appeared it, would not cancel and I could not close my browser. Required a restart to get rid of that potential trojan. My Gmail spam filter did
an excellent job of identifying this bogus email as spam. These spammer malware pranksters are getting more and more clever and bold. I hope this is not the beginning of a new malignant trend in malware distribution. It looked pretty benign at first blush with the CNN logo so prominently displayed. Thank goodness for Gmail spam filter. It does a fantastic job!
DIDCATION WITH DESTINCION
ARAMEDDAR LOGO
You can reference there, but Chinese word.
http://mysecure.blogspot.com/2008/08/blog-post.html
i just started receiving about 5 of these a day at work. I tried unsubscribing – seemed to be no problem, but also didn’t work. i’m on a mac so the .exe wouldn’t work anyway, but i knew it was a virus – they are very very annoying!!
Thank you very much for posting this. I got that incorrect video code, but thankfully, didn’t follow it through. I started getting these in my spam box the other day, but couldn’t figure out if it was something I had signed up for. I didn’t REMEMBER doing it, but as a marketer, it looks like something I might have wanted.
After seeing these messages appear in my “Bulk” mail folder about five times a day, I figured there was something “spammy” to it. I did a search and it brought me here. Thank you very much for this informative blog.
[...] MX Lab Blog [...]
I have received this email about 250 times in the last week and was immediatley convinced that it was bad news, If I get 10 -30 emails to random recipients on my domain, there is little choice but to assume the worst.
All have been deleted without opening and I set a filter in Thunderbird so that all emails are directed to the Deleted folder as soon as they arrive.
This is a pain but in practice little more than a nuisance and a small drain from my download limit
It occurs to me that I can put a rule in Outlook (or outlook express?) to delete any incoming e-mail with the SUBJECT “CNN.com Daily Top 10″
If you get infected you can find a removal guide here:
http://www.bleepingcomputer.com/malware-removal/remove-cnn-daily-top-10
This ALMOST got me – and I’m smart!
I fell for the link, something I never do, however I did it and it was too late too fast. Credit card charges all over the united states, luckily my cc company was blocked all of them. I think they got my cc info off of a toolbar I use called roboform. From what I understand they can move all throughout your computer.
I downloaded pctools spyware doctor and avast cleaned up everything as far as I can see. Msconfig, hijackthis and registry all look clean now, but they move fast and it is tough to remove. To be safe I would say reinstall windows.
[...] Banning emailed based on subject line… Hmm.. apparently, this is an ongoing problem for some… CNN Daily Top 10 leads users to site hosting malware mxlab – all about anti virus and anti spam ——————– *** PC101’s April Graphics Contest *** *** We Have A Winner!!! *** [...]
Spybot was the only thing that I could find to get rid of this…
Virus?… Use Linux and get happy. A computer does not need Microsoftś stuff to work Try the virusfree Ubuntu.
Microsoft did favor to its customers by releasing this tool. Though its malicious software remover targets highly specific infections, in certain cases it’s preferred over commercial software from 3d party developers. If MS had made its Windows Defender as powerful as top antispyware products on the market, they’d definitely take a considerable share of the pie ;P
Those cyber criminals get smarter and smarter. There fake programs are masquerading Windows Security Center warnings, emails look like sent from CNN…
[...] CNN Daily Top 10 leads users to site hosting malware [...]
[...] If you are one of the millions getting this virus email this morning, do not click on any of the links. For more details, and kudos for beating me to the punch this morning – http://blog.mxlab.be/2008/08/04/cnn-daily-top-10-leads-users-to-site-hosting-malware/ [...]
These viruses are getting more and more sophisticated, i don’t bother to open any emails now unless I know the person after getting a very nasty virus a few months ago.
Virus?… Use Linux and get happy. A computer does not need Microsoftś stuff to work Try the virusfree Ubuntu.
Email? Use http://corlive.com and get happy. No spam, no viruses
Merry wrote: “Virus?… Use Linux and get happy. A computer does not need Microsoftś stuff to work Try the virusfree Ubuntu.”
Statements like this aren’t completely true. Using another OS gives you a wrong sense of security.
These days, most of the viruses are very written to run on computers with Microsoft Windows operating systems because virus writers have a huge potential market with this OS. If they would write a Linux virus they will have a much smaller potential market where they can infect systems.
In theory each OS, wether it is Windows, Unix, LInux, MacOS X or whatever,…. it is prone to viruses and other malicious techniques. Be aware of you actions and if it looks suspicious don’t open/download/install the attachment, don’t follow the link in the case of the CNN trick,…
Get Avira the free version and your virus troubles will be over. I upgraded to premium by completing a survey so even that was free. I have ad aware and spybot and rarely run into problems they don’t catch or fix.
I have seen it lately with track your ups shipment as i use shipping i clicked on it and got this same virus
[...] similar campaign has been done in the past with the CNN Daily top 10 and the CNN Alerts. These previous campaigns caused several new infections because the receivers of [...]
[...] similar campaign has been done in the past with the CNN Daily top 10 and the CNN Alerts. These previous campaigns caused several new infections because the receivers of [...]
Malware that displays the detection of a virus to purchase a fake virus cleansing product is very popular these days too. When will it stop?
The virus, from what i have seen, is self extracting. If you downloaded the file you should proably look look at: start – run – msconfig. on the screen that pops up go to services. If you see : CbEvtSvc, then you are infected.
Thanks Gary,
Just checked my laptop and it has been infected :S is there any guide to remove it?
My virus scanner doesn’t remove it.
Thanks for the heads up. Just think there are people spending their time and bandwidth to scam people. Unbelievable.Long Island Basements
Unfortunately there seems to be no end to this, recently some UK hospitals had to osted.co.uk/uk-reseller-hosting.phpshutdown part of their network due to the MyTob worm, viruses costing lives is a terrible state of affairs and something these virus writers probably don’t consider!
It just goes to show you how vigilant you have to be with this stuff. Always check the true domain behind the link before clicking on it. You will often be surprised at what it actually is!
Good luck everyone.
Andrew Brinkworth
Yeah, this is horrible stuff. I pity people who fell for various nigerian scammers and such.
Law enforcement has to be more serious when dealing with these people.
Haha, I guess the poor little bloggers (like me) ain’t the only victims of scammer crews.
I wonder if there are virus attacks that come about by only visiting websites without installing or running executable files…i really hope there aren’t sites as such…
I think there some viruses that comes from visiting sites,but they are not in big numbers.
I don’t like malware and viruses. I don’t know why people make them, they just have to be a nuisance.
What a mess! Can’t believe CNN doesn’t have someone to check this kind of stuff!
This post is worth bookmarking and also digging. Spread the word folks! I am a daily reader of CNN news but thank goodness never clicked on those “top 10″ links. I don’t know why but I have always been somewhat adverse to such ‘top” stuff, esp. online!
, Now, as it turns out, this stuff is not so “top” after all. 
When I saw this article in Google, I could not believe it. i thought it was a joke or something! Props to the site owner for highlighting this!
I’m so tired of all these viruses and malware. I don’t know why people have to sit around and create these damaging things. Thank you for positing this and bringing it to our attention.
I agree with endtiredness. People creating these accounts are so damn disgusting. Don’t they have better things to do?
Great thats all we need well known sites to promote malware!
But eithier way great post I will be watching out next time
Thank you very much for posting this. I got that incorrect video code, but thankfully, didn’t follow it through. I started getting these in my spam box the other day, but couldn’t figure out if it was something I had signed up for. I didn’t REMEMBER doing it, but as a marketer, it looks like something I might have wanted.
Thanks for this- After seeing these messages appear in my “Bulk” mail folder about five times a day, I figured there was something “spammy” to it. I did a search and it brought me here. Thank you very much for this informative blog.
Glad they fixed that, cant believe now even major websites like CNN are spreading these plagues!
I have seen so many well respected sites have this the internet no longer is a safe place well when was it!
CNN should keep tab on these sort of malware sites before putting them on top 10.
Wonder if CNN is going to do a story on itself. Like how these links actually came about.
That’s mast up if you ask me
I just can’t believe the comments that I read here on my blog. It needs some clarification.
@ Leaflet Distrubtuion Shops, @ Carlos Felicio and @Lung Cancer: It is not CNN that compiled the Top 10 with URL leading to malware. This is the work of a third party and in this case he/she is abusing CNN by using the logo, name and lay out of CNN to get people click on the links to download malware.
The real CNN top 10 news feed is safe to use and follow.
@ Sauder TV Stands: these every major brand is subject to a phishing, scam, malware distribution or other form of abuse. Social networks like Facebook, MySpace and others are abused on a regular base.
@ 123 power system: I believe CNN did post a warning on their web site at the time the fake CNN Top 10 was distributed by email. CNN can’t do much more than warn readers about this, just as MX Lab did.
IMPORTANT, READ THIS:
CNN was not responsible for the CNN Top 10 that contained URLs to sites that host malware in the form of a downloadable Flash codec.
Do not post any comments anymore like the above ones, accusing CNN of distributing malware. Your comment will be removed from this blog.
Hi MRXlabs,
Fair point but what kind of security do these sites have in place I mean how protected are they I now we have phising sites which cannot be controlled but surely there own site can I agree CNN could not do much with this issue but what are they doing to prevent it? only yesterday i picked up spyware by visting a trusted source must be from an advert on there site running an .sws file
At the moment, there is not much CNN can do and can do to prevent this.
Anyone can create an email with the CNN logo, some content and URLs that leads to a web site with eventually malware on it.
Anyone can send out an email with the email address of someone else. Spoofing an emailaddress is one of the tricks to cover up the origin.
There are some techniques available like Sender ID, SPF and others but they are not widely adopted and have drawback but that’s another discussion.
CNN, and other companies that are ‘vicitms’, could try to find the author(s)/distributor(s), report them to official organisations, get in contact with ISPs to cut off their internet feed,… In some cases the autorities can track down leads to a person or organsiation and bring them to justice but this is not always possible.
Spyware and adware is not the same as malware, trojans and viruses.
Spyware and adware are most of the time non intrusive programs and are there to track your behaviour, visited sites and so on and will gather information that can be used for marketing purposes. These kind of programs will not collect sensitive information like passwords, online bank account details and so on.
I do admit that the presence of spyware and adware on your computer is not recommended for several reasons like first of all privacy. Besides this they also use system resources and you have no control regarding what this software will do on your system. So, a spyware or adware removal software is recommended.
A few years ago I helped a client clean up their system. We found no less than 200 spyware and adware programs. After clean up, the computer system was a lot faster and more responsive in use.
Viruses, trojans and malware are there to hurt your computer and could steal sensitive information. They will infect your computer, make certains tasks impossible, turn your computer in a zombie and add it to a botnet, could encrypt important files unless you pay (ransomware) and many things more.
PS. It is MX Lab, not MRXlabs, or anything else. I see often that people write MX Labs or something else. Just don’t know why but please take care of our name. Thanks.
Thank you for posting this information.
I believe that a lot of these e-mail come from Africa and it feels like there are new e-mails similar to this one circulating the internet on a daily basis.
Atleast through webmaster tools in Google we can now detect malware.
I don’t understand why people do this.
Just goes to show that you can’t trust any email you receive. That is why I always type the url directly into my browser to avoid this sort of thing. With link cloaking technology, you never know what you are actually clicking on.
“At the moment, there is not much CNN can do and can do to prevent this.”
Is it? I am sure CNN could sue the owners of these phising sites for using their logo and trademarks for spoofing. The only problem is that scamsters don’t always reveal their true identity and address, so finding them is extremely difficult, if not impossible. If you sue them, they would shut down that phising site, and come up again under a new identity. Pretty much how the professional spammers work!
Another reason for me to contemplate switching to Linux.
For the person above leaving the comment about tracking your ups shipment advertisements. I work for UPS and I have actually noticed these same virus’s. What in the world is going on.
http://www.msckids.com
Thank you very much for posting this. I got that incorrect video code, but thankfully, didn’t follow it through. I started getting these in my spam box the other day, but couldn’t figure out if it was something I had signed up for. I didn’t REMEMBER doing it, but as a marketer, it looks like something I might have wanted.
Thank you for posting this information.
I need a really great firefox plugin that will stop malware like this from being opened in my browser.
Unreal, but not surprising. I have seen viruses embedded in .pdf files recently, which used to be safe from them. ALWAYS back up your drive!
Its good to see that you are keeping on top of this.
Wonder if CNN did sth with these?
Its good to see that they are keeping on top of this.I started getting these in my spam box the other day, and could not work out for the life of me what they were. I glad Google’s on to it.
I still wonder how revilent this stuff is? hmmm, Like Garmin said, I also have seen viruses embedded in pdf’s!
This is useful advice. Time to move to another platform I think!
Simon
You know what I don’t understand, what is the purpose of malware and viruses? Are people just bored and want to destroy peoples computers? Is it advertising? If it is, how is that effective advertising??