Video Screencast Help
Security Response

Malicious Spam Emails Target Nightclub Disaster in Santa Maria

Created: 29 Jan 2013 13:00:20 GMT • Updated: 23 Jan 2014 18:10:05 GMT • Translations available: 日本語
Anand Muralidharan's picture
+2 2 Votes
Login to vote

Symantec Security Response has observed that spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse.

Further analysis of the malicious file shows that the threat creates the following file:

%SystemDrive%\ProgramData\ift.txt

It also alters the registry entries for Internet Explorer.

The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer.

Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:

Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013

Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.

Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013

Translation: Video of the Nightclub accident in Santa Maria RS

Figure 1. Spam email example one

Figure 2. Spam email example two

Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams.