Just to say that I received a few hours ago a spam, like in the ancient time :), but not in French this time.
Here is the link that appears within the body of the email:
but in fact, here is the real link:
http://videos .katebowman.com.au/images/youtube/videos/abuso/22/2/2011/video-ex-escriva-de-policia-e-despida-em-delegacia-cai-na-internet.php?0.79795
Caution! This one is malicious!
Indeed it will automatically redirect the user to:
http://89. 149.226.195/css/video-ex-escriva-de-policia-e-despida-em-delegacia-cai-na-internet-AVI.exe
About the "subject" of the link, that should be interesting for an user? it is about a police clerk, "naked", makes me remind the "sextape" of a few stars... here is a translation of it:
http://g1.globo.com/sao-paulo/noticia/2011/02/video-em-que-ex-escriva-de-policia-e-despida-em-delegacia-cai-na-internet.html
"Police" and "naked", probably two words that could invite a person to click on the link...
What about the IP hosting the malware, while accessed through the browsers?
- Opera 11: no warning
- Safari 5.0.3: no warning
- Firefox 3.6.13: no warning
- IE 9: no warning...!
Okay, that's not really a good start. Browsers embedded security could certainly be more efficient....
Let's see what VT says about the sample: 9 engines out of 43 do detect it... I've seen better detection.
BTW, Nod32 full version (and up to date) does detect it as a variant of Banload.PMI... but Clam In the Cloud does not detect anything, and that surprises me a lil bit.
The sample is being run on ThreatExpert sandbox. I just received the results, they look interesting!
http://www.threatexpert.com/report.aspx?md5=8d20e04ba3e66b85fc54860794332ed6
I'll talk about them more in details pretty soon.
