McAfee Labs has been monitoring a spam run that was launched earlier today.Â The message follows:
|Subject: A very warm invitation to you
Hope your week has been wonderfull well.Â I would like to extend a very warm invitation to you to the Verbum Dei Missionary Festival this Sunday, September 19.
With a lot of support and collaboration from groups of people we work with in the Bay Area, an international spread of food
I really look forward to your coming to be able to catch up more.Â More details are in the attached invitation, I hope the directions woul be helpful in navigating the way to the St. Thomas More parish.
With joy and peace to you,
The destination page does a redirect (to a page on the scaner-g.cz.cc domain) and also contains an iframe (with a target of a page on the arestyute.com domain).
The redirect domain displays the standard fake anti-virus scanning animated image and subsequent prompt to download an executable:
fake scanning image
icon used by executable
The iframe leads to a cocktail of exploits, including a Java Development Toolkit exploit (CVE-2010-0886), as well as exploits targeting Adobe Flash and PDF vulnerabilities, including CVE-2007-5659, CVE-2008-2992, CVE-2010-0188.
The payload of these exploits is a password-stealing Trojan, which copies itself using a randomly named folder and file in the %AppData% directory and creates a registry run key to load the file at start-up, for example:
This password stealer injects into the iexplorer.exe process and targets dozens of mainstream financial institutions.Â It also contacts the domains ohmaebahsh.ru and eexiziedai.ru.