Osama Spam Onslaught Leads to Trojan

A persistent new spam campaign that purports to show recipients pictures of Osama bin Laden being captured is in fact a ruse that could lead victims to download a malicious Trojan.

The e-mails have been flooding inboxes all over the Internet since Thursday, carrying a subject line that reads: “Osama bin Laden Captured.” The sending address is spoofed, and the messages often appear in tightly grouped batches of eight or 10 e-mails at a time. The text of the message is as follows:

“Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can: http://xxx.xxx.xxx.xx/pics/ God Bless America!”

Users who click on the URL in the message are taken to what looks like an ad for Viagra. But the Web page also attempts to exploit a vulnerability in Internet Exlorer to download a file named Exploit.exe, which contains a Trojan called Small.B, according to an analysis of the threat by Panda Software, based in Glendale, Calif.

Once on the users machine, the Trojan opens a random port and sends the port information to a remote Web server. It then listens on that port for instructions. The Trojan can be used for sending spam, according to McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif.

/zimages/4/28571.gifFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

/zimages/4/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/4/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif