Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

MJ’s New Song Leaked Triggers Spam Attacks

Created: 14 Oct 2009 07:20:12 GMT • Updated: 23 Jan 2014 18:32:13 GMT
Joji Hamada's picture
0 0 Votes
Login to vote

Michael Jackson's new song "This Is It" premiered on at midnight on October 12 where fans can listen to it for free. But apparently a 45-second preview of the song leaked onto YouTube the day before.

The spam below has been making rounds to trick folks into accessing the link included in the email to listen to the preview (obviously its not a real email from CNN nor is the ad a real ad from GAP!).

Once the user clicks on the link, the browser opens a page on a site that's believed to be compromised and refreshes to the another site, which appears to be hacked as well, to execute a .hta file that is detected as Downloader.Psyme.

Once the .hta file is executed, a file called AutoCfg.exe (detected as Backdoor.Trojan by Symantec) and legitimate files Servmess.dll, Autoexnt.exe, and Instexnt.exe are downloaded. These legitimate files are normally used for administrator purposes, but in this case the malware uses them to run after every reboot even if there is no one logged on the computer. At this point, the computer can be remotely controlled and all the information on it is in the hands of the criminals.

A big thanks to the Symantec E-mail Security Group for providing the information.