Email Spam Trojans Hiding on Websites as MSNBC Breaking News Items

For the past few weeks I suppose everyone has had a bit of email spam with this in the “From” and “Subject”: BREAKING NEWS:

There then follows a sucker headline which is obviously pants.  They all have a spoofed link for which points to somewhere else, quite often a html document on the main site page for a photographer or graphics company.  There is only the one duff link.  All the rest point to Microsoft sites.

A few sites I’ve contacted to let them know that they’ve been hacked – but now I don’t bother – there are too many each day with this particular format.

Agent ETH Trogan as reported by NOD32

Here are a few I’ve had today.  The links are not live.  Firefox 3 or NOD32 trap all the Trojans but copy and paste the links into a browser at your own risk!  (Initially there is a modal dialog box that cannot be cancelled except by Task Manager.  Clicking OKAY will try to download the package to your PC.  NOD32 identifies it as “a variant of Win32/Agent.ETH trojan).

Nonsense Headline Spoofed Link Destination (manually remove spaces from links) Destination Type Holder from a WHOIS
Bush ‘Troubled’ by Gay Marriages. Declares San Francisco Part of ‘Axis of Evil’ msn_video.html Hacked site full of broken php and sql Domain:
Registered: 2006-08-30
Expires: 2008-08-31
Registration period: 1 year
VID: no
Status: Deactivated
John Mccain Proposes Gay Marriage msn_video.html Dodgy, new or completely hacked site Registrant:
Registered through: Inc.
New Evidence Suggests That The President May Be Drinking Again msn_video.html Possible dodgy site or it has been hacked.  Even the contact link is an exe file! Type: ORG
Address: Poststr. 9
Pcode: 29308
City: Winsen
Country: DE
Remarks: CID: 6581951/1020
Changed: 2006-12-31T18: 02: 3101: 00
One Hot White Chick Injured in Tsunami Disaster tamarabdul msn_video.html Iraqi-Canadian photograher apparently with a Jordanian site registration! The evil package is dumped straight on the homepage area. Administrative Contact:
Ali Zayni

Fax: 962.64629597 940541
Amman 11194

Bush Claims He Has Supernatural Abilities eliteworkwear msn_video.html Workwear and other clothing web shopping site.  The evil package is dumped straight on the homepage area. Registrant:
Chris Peacock
Trading as:
Bubble Design and Marketing
Registrant type:
UK Individual
Registrant’s address:
Bubble Design Hallcroft Indust
Aurillac Way
DN22 7PX

I use Mailwasher Pro from Firetrust to check through all my mail.  I’ve been using it for several years now – since version 4 I think!  It shows all mail as plain text (which I advise everyone to do anyway).  This is the substance of the last email above, viewed in plain text.

Mailwasher shows all the obfuscated links nicely. BREAKING NEWS: Bush Claims He Has Supernatural Abilities

Find out more at [links to]
See the top news of the day at, and the latest from Today Show and NBC Nightly News.

This e-mail is never sent unsolicited. You have received this MSNBC Breaking News Newsletter
newsletter because you subscribed to it or, someone forwarded it to you.
To remove yourself from the list (or to add yourself to the list if this
message was forwarded to you) simply go to
[links to], select unsubscribe, enter the
email address receiving this message, and click the Go button.

Microsoft Corporation – One Microsoft Way – Redmond, WA 98052
; [links to])

Added 17/8/8

I’ve also had quite a few emails purporting to be Greetings eCards!

The pattern is the same as the above except usually they don’t even obfuscate the link!  This one below, for example, has these properties:

Good day.
You have received an eCard

To pick up your eCard, choose from any of the following options:
Click on the following link (or copy & paste it into your web browser):

Your card will be aviailable for pick-up beginning for the next 30 days.
Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

NOD32 warning for Win32/TrojanDropper.Agent.NMR trojan

The payload according to NOD32 is described as “a variant of Win32/TrojanDropper.Agent.NMR trojan“.  The Belgian website looks okay with info, program of events etc.  But the exe file is dumped straight in their front door!

By Strangely

Founding member of the gifted & talented band, "The Crawling Chaos" from the North-East of England.