any spammed email message claiming to provide a link to information about U.S. culture or foreign policy may likely provide a trojan with rootkit capabilities.
In one of the most prevalent social engineering schemes of this half of the year, users clicking on a spammed link are directed to a web page with a phony video. The user’s browser then displays a request to update their Adobe Flash version to play the video. This time, the malicious executable’s download name is “Adobe_Flash9.exe“. Users seem to be enticed into clicking links with the text “Proceed to the election results news page” and then running this file.
As always, avoid interacting with messages and links that seem questionable.
Another interesting Obama-related file just hitting our community this afternoon has been an infected executable containing a copy of President-elect Barack Obama’s entire acceptance speech: “obama’s presidential speech.exe“. This one just appears to be run from a system previously infected with a virus with the family name of “Nakuru” or “Kespo”. Symantec’s research team calls it W32.Tupofse.B.
The exe drops the original copy of the .doc file to disk before dropping other viral code, like kspoold.exe. When run, the original .doc file is opened and the entire speech appears:
“If there is anyone out there who still doubts that America is a place where all things are possible; who still wonders if the dream of our founders is alive in our time; who still questions the power of our democracy, tonight is your answer…”
Be sure to pay attention to file extensions before double-clicking on files. The icon for the file is altered by the virus so that it appears to be associated with Word, with a .doc extension, but it only has a .exe extension. Here is an image of the file, on a system that doesn’t have Microsoft Word installed on it (the icon normally never appears for .doc files, the wordpad icon should appear by default):