* We received this notification from Websense this morning. I thought it was pertinent information that should be passed on. ****<http://bd...@kcm.org> *d011
*From:* Websense Security Labs [mailto:donotre...@websensesecuritylabs.com] *Sent:* Friday, June 26, 2009 7:09 AM *To:* Duke, Brian *Subject:* Security Alert: Michael Jackson Death Prompts Malicious Spam Websense Security Labs(TM) ThreatSeeker(TM) Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports<http://edition.cnn.com/2009/SHOWBIZ/Music/06/25/michael.jackson/index.html>Michael Jackson's death was confirmed yesterday. The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called *Michael.Jackson.videos.scr* (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read. In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called *michael.gif*, which has low AV detection rates - see VT results here<http://www.virustotal.com/analisis/67cba7b9d91e1cbcac0f22b5f4bcf12f4b07a1a62d7d3018e28ccd5ee93e0ce4-1246012313>. The malware then installs a malicious BHO that is registered with this file *%windir%/Dynamic.dll* and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at *%windir%\system32\kproces.exe*. Another malicious file installed by the malware is * %windir%\system32\fotos.exe*. Websense® Messaging and Websense Web Security customers are protected against this attack. To view the details of this alert Click here<http://securitylabs.websense.com/content/Alerts/3426.aspx> Protected by Websense Hosted Email Security — www.websense.com -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
