Sensation.New Video – make haste to look!!!

Since last week we have been noticing a significant increase in certain spam messages, which have several features in common.

The subject of all of them is “Sensation.New Video – make haste to look!!!”, and as a social engineering technique they include a video that makes reference to different news; the latest one we have seem is related to the trailer of a film premiere.

All of them enclose a link which starts with a google url in order to go unnoticed.

Server: http://pousadarecantonatureza.com.br/
IP: 67.15.48.41
City / Country: Houston (Texas) [United States]

Server: http://www.neufeld-media.de/
IP: 81.169.145.72
City / Country: Berlin [Germany]
 

http://www.google.com/pagead/iclk?sa=l&ai=fXfafaD&num=67154&adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?lddhUCE
http://www.google.com/pagead/iclk?sa=l&ai=sqxtEvL&num=93594&adurl=http://www.neufeld-media.de/<removed>/news/rdown.php?xssqxtE

http://www.google.com/pagead/iclk?sa=l&ai=DtxxsAu&num=85078&amp;adurl=http://pousadarecantonatureza.com.br/<removed>/rdown.php?mVLuOuc

From these URLs a file called "news_m.exe" is downloaded, which is detected as Trj/Downloader.SQV. This downloader will download another file called "vshost.exe" detected as Trj/Spammer.AGF, whose objective is to send more spam messages like these ones.

Besides, another file called "Loca.exe" will be downloaded. This file belongs to Trj/KillFiles.BU, which will delete some *.sys files from the system32/drivers directory, causing a certain instability in the system.

Other contents used in these spam mesages are:

Pamela Anderson divorces in third times!!!                     
CIA tortures prisoners!!!                      
Harry Potter was purchased by pentkhaus!!!
Two powerful earthquakes happened in the USA!!!
Michael Jakson glued up a person plaster!!!
Madonna reinvents herself as film director!!!
The extramarital son of John Kennedy appeared in Canada!!!