We came across a malspam e-mail today that looks like an authentic CNN Top 10 e-mail blast. The e-mail arrives in HTML format and covers the daily top 10 news items.
Update: We have found several other domains serving the same malware with different hashes.
*warning* These are live malicious sites. Proceed at your own risk!
hxxp://aramusicaiespectacles.com/cnnvideo.html
hxxp://art-cie.fr/cnnnews.html
hxxp://barrierelectric.com/cnnvideo.html
hxxp://beta.wwf.it/cnnvideo.html
hxxp://borinsrl-store.com/index2.html
hxxp://cave-live.info/cnnvideo.html
hxxp://colleflambo.com/cnnvideo.html
hxxp://datgame.com/cnnnews.html
hxxp://directorioelejido.com/cnnvideo.html
hxxp://erbilproje.com/cnnvideo.html
hxxp://eyhost.net/
hxxp://familylaw-nj.com/cnnvideo.html
hxxp://lorenziniassociati.it/cnnnews.html
hxxp://megadent.pl/index2.html
hxxp://nodostudio.com/cnnnews.html
hxxp://ophtha.com.co/cnnnews.html
hxxp://pastry-art.de/cnnnews.html
hxxp://pcenmarcha.com/cnnnews.html
hxxp://piedrarustica.com/cnnvideo.html
hxxp://showtech.myzen.co.uk/cnnvideo.html
hxxp://studiogabia.com/cnnnews.html
hxxp://style-r.de/cnnnews.html
hxxp://synerweb.info/cnnvideo.html
hxxp://turegalodesanvalentin-julieta.idoo.com/index2.html
hxxp://videogamesheaven.dot5hosting.com/cnnnews.html
hxxp://voxinterna.de/index2.html
hxxp://www.bellomeparrucchieri.it/cnnnews.html
hxxp://www.drtimcic.org/cnnvideo.html
hxxp://www.konaya.com.tw/cnnnews.html
hxxp://www.malicioso.net/cnnvideo.html
hxxp://www.massouristudios.gr/cnnvideo.html
hxxp://www.transam99.de/cnnvideo.html
hxxp://www.uwg-groebenzell.de/cnnnews.html
hxxp://www.vonalpenhirsch.be/cnnnews.html
Some of the titles include:
Corrupt China official betrayed by leaky toilet
Olympic Sport: Blocking the Internet
Boy Loses Arm in Gator Attack
Guinea Pigs Get Dressed … and Eaten
Angry, late, tired passengers make computers crash
Don’t streak, get drunk or sleep outside at Olympics
Paris Hilton’s mom takes offense at McCain’s humor
Cheesus! Jesus Spotted in a Cheeto
It’s a buyer’s market if you know what ‘code words’ to look for.
Cheesus! Jesus Spotted in a Cheeto
Half-scale replica of German tank built for paintball competition.
Dog Plays Mom for Tiger Cubs
6 Police Die in Pre-Olympic Attack
Illusionist Chris Angel races against time in a building set to detonate.
Drunken Man Can’t Erase Arrest
Social networking sites have lots of users, but no one seems to be buying.
Bush urgently flies to Asia
Furnished Nazi bunkers surface in Denmark
6 NFL greats inducted into the pro football hall of fame
When we click on the link it points us to hxxp://yooia97.com/news/ which is a page designed to get us to download the get_flash_update.exe malicious “codec”.
Additional information
File size: 78848 bytes
MD5…: 1fe971d98216e26b0817451943af270b
SHA1..: 882fda149f33451fa5ba9abc73db72f50f71cbbe
SHA256: 2cb4320aa298fe330faf5d54c05d224c7dbd28a921ce452fa4c19497c1125d7f
SHA512: b5aea389775f9566a896e9510ad761fc05f00cfeb2694d2c35331f83d9154378
97bc06888ad6f5ad405a316e568561c9a457004be300c8c67fbbc56d57892609
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x409f66
timedatestamp…..: 0x487d1ddb (Tue Jul 15 21:59:55 2008)
machinetype…….: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0×1000 0xdf4d 0xc200 8.00 dcf98a98a287684df152670d3c406344
.rdata 0xf000 0x36dc 0×2200 7.98 f45a3f588bfbffda48509cf3caa4c860
.data 0×13000 0×6000 0×4000 4.86 6325a094a4e4462c96bbaab6919ae28d
( 3 imports )
> WININET.DLL: GopherFindFirstFileA, GopherOpenFileW, FtpGetFileW, FreeUrlCacheSpaceA, HttpQueryInfoA
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=1fe971d98216e26b0817451943af270b
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=290F32F1001BC75F34CC01D334F83300C0FDDB47
thanks a lot for this nice web site. it would be better with other languages, bur thanks..