Email Spam Trojans Hiding on Websites as MSNBC Breaking News Items
For the past few weeks I suppose everyone has had a bit of email spam with this in the “From” and “Subject”:
msnbc.com: BREAKING NEWS:
There then follows a sucker headline which is obviously pants. They all have a spoofed link for http://breakingnews.msnbc.com which points to somewhere else, quite often a html document on the main site page for a photographer or graphics company. There is only the one duff link. All the rest point to Microsoft sites.
A few sites I’ve contacted to let them know that they’ve been hacked – but now I don’t bother – there are too many each day with this particular format.
Agent ETH Trogan as reported by NOD32
Here are a few I’ve had today. The links are not live. Firefox 3 or NOD32 trap all the Trojans but copy and paste the links into a browser at your own risk! (Initially there is a modal dialog box that cannot be cancelled except by Task Manager. Clicking OKAY will try to download the package to your PC. NOD32 identifies it as “a variant of Win32/Agent.ETH trojan“).
| Nonsense Headline | Spoofed Link Destination (manually remove spaces from links) | Destination Type | Holder from a WHOIS |
| Bush ‘Troubled’ by Gay Marriages. Declares San Francisco Part of ‘Axis of Evil’ | srq.dk/ msn_video.html | Hacked site full of broken php and sql | Domain: srq.dk DNS: srq.dk Registered: 2006-08-30 Expires: 2008-08-31 Registration period: 1 year VID: no Status: Deactivated |
| John Mccain Proposes Gay Marriage | thecaviarco.com/ msn_video.html | Dodgy, new or completely hacked site | Registrant: koein Registered through: GoDaddy.com Inc. |
| New Evidence Suggests That The President May Be Drinking Again | www.mobilzeit-daten.de/ msn_video.html | Possible dodgy site or it has been hacked. Even the contact link is an exe file! | Type: ORG Name: MOBILZEIT Address: Poststr. 9 Pcode: 29308 City: Winsen Country: DE Remarks: CID: 6581951/1020 Changed: 2006-12-31T18: 02: 3101: 00 |
| One Hot White Chick Injured in Tsunami Disaster | tamarabdul hadi.com/ msn_video.html | Iraqi-Canadian photograher apparently with a Jordanian site registration! The evil package is dumped straight on the homepage area. | Administrative Contact: enana.com Ali Zayni email hidden; JavaScript is required 962.795602616 |
| Bush Claims He Has Supernatural Abilities | eliteworkwear uk.co.uk/ msn_video.html | Workwear and other clothing web shopping site. The evil package is dumped straight on the homepage area. | Registrant: Chris Peacock Trading as: Bubble Design and Marketing Registrant type: UK Individual Registrant’s address: Bubble Design Hallcroft Indust Aurillac Way Retford Nottinghamshire DN22 7PX GB |
I use Mailwasher Pro from Firetrust to check through all my mail. I’ve been using it for several years now – since version 4 I think! It shows all mail as plain text (which I advise everyone to do anyway). This is the substance of the last email above, viewed in plain text.
Mailwasher shows all the obfuscated links nicely.
msnbc.com: BREAKING NEWS: Bush Claims He Has Supernatural Abilities
Find out more at http://breakingnews.msnbc.com [links to eliteworkwearuk.co.uk/msn_video.html]
======================================================
See the top news of the day at MSNBC.com, and the latest from Today Show and NBC Nightly News.=========================================
This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
http://www.msnbc.msn.com/id/62954182 [links to www.msnbc.msn.com/id/24472415], select unsubscribe, enter the
email address receiving this message, and click the Go button.Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
MSN PRIVACY STATEMENT
http://privacy.msn.com (http://privacy.msn.com/> [links to privacy.msn.com/])
Added 17/8/8
I’ve also had quite a few emails purporting to be Greetings eCards!
The pattern is the same as the above except usually they don’t even obfuscate the link! This one below, for example, has these properties:
Good day.
You have received an eCardTo pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):http://kkvtombeek.be/e-card.exe
Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!We hope you enjoy you eCard.
Thank You!
http://www.greetingcard.org
NOD32 warning for Win32/TrojanDropper.Agent.NMR trojan
The payload according to NOD32 is described as “a variant of Win32/TrojanDropper.Agent.NMR trojan“. The Belgian website looks okay with info, program of events etc. But the exe file is dumped straight in their front door!
Amazon Related:
- Jagger, Google Analytics, And The Future Of Search & SEO Two big things have just happened in Google-land: Jagger and Google Analytics. Together, these two...
- Make Blogging Work for Your Business pt 2 Are you ready to make blogging work for your business? If you already know the...
- Link Relevance We are constantly being told by SEO experts and the Search Engines that the importance...
- Harnessing The Power Of Social Book Marking To Boost PageRank And Gather A Massive Number Of Back Links To Your Website As SEO professionals we are constantly searching for ways to get our sites ranked and...
- The Forgotten Fundamentals Of SEO Introduction: Firstly, thank you for taking the time to view my SEO hints and tips...
- The Forgotten Fundamentals Of SEO Introduction: Firstly, thank you for taking the time to view my SEO hints and tips...
- Motorola Droid X Overview Verizon Droid X Overview by Motorola Droid X Review by BoyGeniusReport www.boygeniusreport.com Motorola Droid X...
[...] recent post email-spam-trojans-hiding-on-websites-as-msnbc-breaking-news-items led with the effect and infection method for the Win32/Agent.ETH trojan. Well now they’ve [...]
Like or Dislike:
0 
0
[...] email-spam-trojans-hiding-on-websites-as-msnbc-breaking-news-items/ [...]
Like or Dislike:
0 
0
[...] to my earlier post, http://strangelyperfect.tv/718/email-spam-trojans-hiding-on-websites-as-msnbc-breaking-news-items/ the ESET blog has pointed out some “False Invoice Spam” that I’ve also had, but [...]
Like or Dislike:
0 
0