First I thouht this was like regular spam, and something close to Viagra (and others...). But, in the end, no...
The contact told me his "mail account" had been stolen, whereas I do believe his computer has been compromised (and then, the bad guys used that to gain access to the email account...).
But when I clicked on it, surprise... The real URL is:
http://bessthoprapi2iad .vv.cc/2i3xuqg42.jsp.
But this will in fact redirect the user to:
http://87.255.77. 35/fw2.pl
Then new redirection: http://dsdss333 .coom.in/dng311011/a90c83a2e63449deddcf99e0660d9f73/spl.php (detected by KAV 2011, but apparently this is not efficient enough to block the infection).
Under IE9, here is what happens:
If I click on Yes, it goes:
Then...
Quite regular now, since even if I click "Cancel", a file will attempt to be downloaded, still in a regular way:
IE 9 tries then to warn me the file "is not being downloaded so often, and could be harmfull"...:
KAV 2011 does not detect the sample. Neither does MalwareByte.
VirusTotal's results are quite clear! only 2 engines out of 41...!
About the file:
I also find interesting to mention that the exefile is in fact made of pure MS technology: Silverlight.
Update 1:
Being run on a fully-patched Win 7 x64, nothing really bad happens... it seems that an additional download fails.
This is also what ThreatExpert tels about the file execution history:
http://www.threatexpert.com/report.aspx?md5=c7fa7ebcb697b26ac684f8b18a0f30b4
Buggy malware?