Symantec Security Response has observed that spammers are distributing malicious emails that attempt to lure users into viewing a video of the incident that killed 233 people recently in a horrific tragedy at a popular nightclub in Santa Maria, Brazil. The malicious email is in Portuguese and invites unsuspecting users to click on a link to watch a video of the tragedy. The link provided in the email downloads a zip file containing a malicious control panel file as well an executable file. Symantec detects this threat as Trojan Horse.
Further analysis of the malicious file shows that the threat creates the following file:
It also alters the registry entries for Internet Explorer.
The threat then downloads an IE configuration file from a recently registered domain. Trojan Horse is usually a backdoor Trojan, downloader, or an infostealer.
Samples of the spam emails are shown below (Figures 1 and 2). The email has the following characteristics:
Subject: Video mostra momento exato da tragedia em Santa Maria no Rio Grande Do Sul segunda-feira, 28 de janeiro de 2013
Subject: VIDEO DO ACIDENTE DA BOATE DE SANTA MARIA RS.
Translation: Video shows the beginning of the tragedy in Santa Maria, Rio Grande Do Sul Monday, January 28, 2013
Translation: Video of the Nightclub accident in Santa Maria RS
Figure 1. Spam email example one
Figure 2. Spam email example two
Users are advised to exercise caution when looking for videos, images, and news of recent popular events. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams.