Death of Michael Jackson inspires spammers and malware distributors

Spammers and malware distributors are trying to take advantage of the death of Michael Jackson by sending out email campaigns with subject and/or body related to Michael Jackson while malware distributors try to infect computers by offering a URL to a site that offers a video of the death of the “King of pop”. Here is a brief overview.

Canadian Pharmacy spam

One of the campaigns contains the subject “Michael Jackson dead? NO!!!” and the body content:

Michael Jackson dead? NO!!!
Open attached file and read!!!

The attachment itself appears to be harmless and contains the HTML refresh tag

<meta http-equiv=’Refresh’ content=’0; url=hxxp://addfamous.com/’ />

This will redirect your browser to the Canadian Pharmacy web site.

Email harvesting

Another campaign has the intention to harvest email addresses and is coming from a bogus email account but the reply to is a ***@live.com account. The email claims to have special and confidential information regarding the death of Michael Jackson. A sample of the content:

Confidential
Vital informations after the death of Michael Jackson’s I really need some one trusted & secretive to speak with with informations i have in my possession before its too late Kindly reply me and i will immediately respond back,Its for just secret between both of us

The call-to-action is to reply to this message. When doing so you will confirm the spammer that the email has been received and read and therefore is active.

Malicious spam

This spam email offers a link to a YouTube video but actually sends the recipient to a Trojan Downloader hosted on a compromised web site. The file is Michael.Jackson.videos.scr. When downloaded and executed 3 information-stealing components are downloaded and installed by the malware. One of the files has the name michael.gif and has a very low AV detection rate.

The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

Virus Total permlink and MD5: 664cb28ef710e35dc5b7539eb633abca.

Student Loans

A spam with the subject and the body content “Micheal Jackson History”, notice the wrong spelling of his firstname, leads to hxxp://loansofworld.blogspot.com/. This message was sent through Google Groups.

Contact databases

An email with the subject “Michael Jackson: last farewell from DataForYou” is attracting readers with a subject related to Michael Jackson but instead offers contact databases.

Notice the TinyURL inside the email content to hide a direct link to the web site. TinyURL has already removed the URL but  this example shows that you need to be carefull with URLs in emails where a service like TinyURL is shortening the full URL. Try to use a preview feature first when you don’t trust the source is our recommendation.

Dear Sirs,
in our site you have access, through the cheapest prices you have ever seen,
to a vast database of international Companies, divided by region, province, city or area of activity.

The databases are divided into two broad categories.

Archives of International Companies with E-mai only

The archives are divided by country and include a list of e-mail only.
The archives are in TXT format and they are easy to be used because
this format is the typical one used for data import. You can also find
more than one email, relferring to different people working in the same
structure, for the Companies which have provided them.

International Archives of active domains with MX record only

The archives are divided by size and include a list of domains only.
The archives are in TXT format and they are easy to use because this
format is the typical one used for data iimport. All the domains have
an active MX record; this means that each domain is directly linked
with working email accounts.

Visit our site at
hxxp://tinyurl.com/infinitemail

Don’t lose this incredible opportunity for increment your business.

InfiniteMail

Customer Care

If you no longer want to receive our email reply here:
mailto:remove@mediasch0pping.com

National Survey Panel’s Gift Program

What killed Michael Jackson?

Press here:
hxxp://totjebiok.com/tr.php?72928+*****@*****.com

Tell us. Then complete the program requirements for a FREE 7 album collection of MJ’s solo career.

These guys are using the death of Michael Jackson to attract some people to fill in some information and in return you can receive his albums for free.