« Supermarket Tabloid Spam | Main | Now We Know Where All the Oil Profits Go »

July 30, 2008

I've seen a series of email messages tonight that have Subject: lines generally referring to "Windows Portal News" or "Windows Team." The message bodies tend to be nearly incomprehensible in English. Here are some samples:

• Last News in video format! Only Best and hot news!
• Last new: The American junky eats the eyes. Look at sample!

Links are to various domains in the following format:

http://[removed].com/upp/fast.php

The destination program redirects to a page that automatically downloads a file named video.avi.exe, for which VirusTotal reports a pretty dismal 10/35 identification rate.

Unlike some of the other recent malware campaigns, which aim for minimalism in their bodies (simple text line and URL), these have both text and HTML-formatted segments. Both segments include an official-sounding trailer that makes the message appear to be delivered as part of the recipient's membership in Microsoft Live:

These guys also took the time to program some strange stuff in the message header. In particular, they insert a second Received: header line making it look as though my email server generated the line (which it definitely did not). The (presumably botnet) program that sends the messages customizes each message's extra Received: line. There is also a mistake in their program because the line includes two placeholders for randomized numbers. D'oh!

Given the low virus program detection for the payload, this could be a pretty nasty chunk of Bad Stuff. Don't go there.