Search This Blog

Thursday, April 18, 2013

Boston Marathon spam emails infect many computers today

Please be warned about a brand new massive spam campaign on malware distribution, supposedly showing videos related to the Boston Marathon explosion tragedy that occurred a couple of days ago. In fact, this spam is nowadays attacking millions of PCs and distributing spam with tremendous speed. Clicking the links contained inside of such spam emails is extremely dangerous for your computer and the computers of your friends, colleagues and relatives.

These emails may have the following subjects:

  • Boston Explosion Caught on Video
  • Explosions at the Boston Marathon
  • Aftermath to explosion at Boston Marathon
  • 2 Explosions at Boston Marathon
  • Explosions at Boston Marathon
  • Explosion at Boston Marathon
  • Video of Explosion at the Boston Marathon 2013
  • Explosion at the Boston Marathon
  • BREAKING - Boston Marathon Explosion

Similarly, there's another spam-sending campaign formalized in the form of CNN.com news. It uses the following subjects in spam emails:

  • Opinion: North Korean Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
  • Opinion: Osama bin Laden's legacy - Boston Marathon Explosions - CNN.com
  • Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
  • Opinion: Boston Marathon Explosions - Who benefits? - CNN.com
  • Opinion: China Official's child was the CIA target - Boston Marathon Explosions Worse Sensations. - CNN.com
  • Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
  • Opinion: Boston Marathon Explosions - CIA Benefits? - CNN.com
  • Undeliverable: Explosion at the Boston Marathon
  • Opinion: Osama bin Laden still alive - Boston Marathon Worse Sensation!? - CNN.com
  • Undeliverable: Explosions at Boston Marathon
  • Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
  • Opinion: Boston Marathon Explosions - Obama Benefits? - CNN.com
  • Undeliverable: Boston Explosion Caught on Video
  • Opinion: Boston Marathon Explosions - Osama bin Laden still alive? - CNN.com
  • Undeliverable: Video of Explosion at the Boston Marathon 2013
  • Opinion: Osama death was Faked by CIA - Boston Marathon Explosions Worse News. - CNN.com

These spam links may begin with various IP addresses, such as 118.141.37.122, 190.245.177.248, 178.137.120.224, 110.92.80.47, 37.229.92.116, 188.2.164.112, 178.137.100.12, 78.90.133.133, 118.141.37.122, 212.75.18.190, 178.137.120.224, 110.92.80.47, 83.170.192.154, 37.229.92.116, 219.198.196.116, 37.229.215.183, 61.63.123.44, 61.63.123.44, 219.198.196.116, 85.198.81.26, 190.245.177.248, 94.28.49.130, 94.28.49.130, 94.153.15.249, 83.170.192.154, 78.90.133.133, 95.87.6.156, 85.198.81.26, 94.153.15.249, 212.75.18.190, 37.229.215.183, 95.87.6.156, 188.2.164.112, 178.137.100.12, 46.233.4.113, 176.241.148.169, 176.241.148.169, 91.241.177.162, 46.233.4.113, 213.34.205.27, 213.34.205.27, 91.241.177.162, 62.45.148.76, 85.217.234.98, 62.45.148.76, 85.217.234.98, 31.133.84.65, 31.133.84.65, 109.87.205.222, 109.87.205.222, 50.136.163.28, 50.136.163.28 and will have the ending like /boston.html or /news.html.

Also, these spam emails may begin with domain names, such as domcomfort.ru, whchivast.com, relax-perm.ru, imdh.knu.ac.kr, create-serv.ru, skinnee.net, numeralarmowy-112.pl, imdh.kyungpook.ac.kr, higherthanab.com, ufferichter.dk, business-link.net, ochronaprawkonsumenta.pl, mannesmann.c, kuzenergo.ru, siemsrl.com, alex-spil.dk, host321.ru, vdnh.kiev.ua, theophany.co.nz, yanjingedu.org, china-ptjc.com, econ-group.com, mezdustrok.com.ua, alltomforsakringar.nu and ufferichter.com. These ones have the endings as /bostoncnn.html or /cnn_boston.html.

Clicking such links in spam Boston Marathon emails with videos is dangerous, even though some of these videos can be really viewed after clicking the link. However, in the source code of the web page opened there's a special malicious code that is associated with the site spareroomwebdesign.com and a file "waiq.html".

When clicking the link, the following registry entry is added HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SonyAgent: "C:\WINDOWS\Temp\temp86.exe", as well as the hidden file with 815,616 bytes in size in the same location. By the way, the MD5 of the file is fdbc94958b8f0ec2b24302c6d4685c46. It's worth saying that only few antiviruses detect this file as malware. Once the link is clicked, your computers turn out to be a real spam machine and thus begins to spread similar emails with enormous speed, with the similar subjects stated above. The other, CNN-subjected spam campaign is a Financial Crimes malware infector, often referred to as Cridex. So, please don't ever click such dangerous spam links. Instead, scan your system with reliable security software downloadable below.

Recommended software for malware removal:

Download GridinSoft Trojan Killer
Posted by Andrew McPherson at
Labels: , , , , , ,

1 comment:

  1. UnknownMay 3, 2013 at 9:44 PM

    I saw that you are putting a lot of efforts into your blog. Keep posting the good work.Some really helpful information in there. Nice to see your site. Thanks!

    dell support

    ReplyDelete

Subscribe to: Post Comments (Atom)