MessageLabs, the leading provider of email security and management services to businesses, has intercepted copies of an email posing as a video news clip of yesterday’s terrorist attack in London which instead contains a Trojan designed to compromise the recipient’s computer. The email containing this Trojan has been crafted to appear as a CNN Newsletter which asks recipients to “See attachments for unique amateur video shots’.
When executed the attachment copies itself to %Windir%\winlog.exe and modifies the Windows registry key “HKLM/Software/microsoft/Windows/CurrentVersion/Run’ so that it runs automatically on system start-up. The Trojan then attempts to obtain a list of the SMTP servers that the victims machine is configured to use and starts to use these servers to send large volumes of unsolicited mail.
MessageLabs’ “legitimate’ email volumes rose sharply yesterday morning due to the terrorist attacks in London, with traffic doubling from the usual 500,000 emails per hour to over 1 million. The peak hour for traffic saw an extra 750,000 extra emails cross MessageLabs servers. Volumes then started to tail off and were substantially below normal levels by mid-afternoon – less than half – and remained so for the rest of the day as many businesses closed early.
Email characteristics of Trojan:
Sender address: firstname.lastname@example.org
Email subject: TERROR HITS LONDON
Filename: ‘London Terror Moovie.avi <124 spaces> Checked By Norton Antivirus.exe’
MessageLabs detected this virus proactively, using its unique and patented SkepticÃ¢â€ž? predictive heuristics technology.
For further information, please visit the MessageLabs website at: www.messagelabs.com/intelligence