A persistent new spam campaign that purports to show recipients pictures of Osama bin Laden being captured is in fact a ruse that could lead victims to download a malicious Trojan.
The e-mails have been flooding inboxes all over the Internet since Thursday, carrying a subject line that reads: “Osama bin Laden Captured.” The sending address is spoofed, and the messages often appear in tightly grouped batches of eight or 10 e-mails at a time. The text of the message is as follows:
“Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can: http://xxx.xxx.xxx.xx/pics/ God Bless America!”
Users who click on the URL in the message are taken to what looks like an ad for Viagra. But the Web page also attempts to exploit a vulnerability in Internet Exlorer to download a file named Exploit.exe, which contains a Trojan called Small.B, according to an analysis of the threat by Panda Software, based in Glendale, Calif.
Once on the users machine, the Trojan opens a random port and sends the port information to a remote Web server. It then listens on that port for instructions. The Trojan can be used for sending spam, according to McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif.