Malicious Google Spam Alleging News Video from Bin Laden

We're seeing a new Google Spam run with a malware component making the rounds where the subject line of the message alleges that some of the more popular news agencies have released a Special Report with respect to a new video having been released from Osama bin Laden.  Volume is currently only less than 1% of total inbound virus traffic, so it is pretty low, but is yet another abuse of the Google PageRank system in an attempt to deliver malware.

Some of the subject lines that we have seen include:

Special issue of news from  CNN! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  CNBC! Urgent  Fresh News Usama Ben Laden!
Special issue of news from  Financial Times! Urgent  Shocking News Usama Ben Laden!
Special issue of news from  CNN! Urgent  Apocalyptic News Usama Ben Laden!
Special issue of news from  Bloomberg! Urgent  Fresh News Usama Ben Laden!


You can see a fairly common theme here. 

The email itself is somewhat lengthy and mostly discusses the tragedies that bin Laden has orchestrated against targets around the world.  The most pertinent parts of the message appear at the top (as usual, many grammatical errors exist throughout the message):

Special issue of news from Reuters! Urgent Dangerous News!

hxxp://www.google.com/pagead/iclk?sa=l&ai=PBXCNHM&num=03311&adurl=http://cavalldemar.org/news_usa.php 

 

Usama bin Laden(Osama bin Laden) one of the largest organizers of terrorist

 activity, and similarly the largest leaders of terrorist organization of Al

 Kaeda, detained American soldiery force in Iraq.

 

This particular sample was taken from a message where the subject says that the news update is from CNN so you can see that the news agency in the subject line is not necessarily consistent in the actual message itself.  If the link from the message is followed, it directs the user to a page where they download a file named videousa.exe, which contains the malware.

Also, as of the time of this posting the link to hxxp://cavelldemar.org/news_usa.php (domain registered in Spain) is still active and AV identification is spotty:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.4.22.0	2008.04.21	Win-Trojan/Agent.77824.DX
AntiVir	7.8.0.8	2008.04.21	TR/Crypt.XPACK.Gen
Authentium	4.93.8	2008.04.20	-
Avast	4.8.1169.0	2008.04.21	-
AVG	7.5.0.516	2008.04.21	Downloader.Zlob.12.AH
BitDefender	7.2	2008.04.21	-
CAT-QuickHeal	9.50	2008.04.19	(Suspicious) - DNAScan
ClamAV	0.92.1	2008.04.21	-
DrWeb	4.44.0.09170	2008.04.21	-
eSafe	7.0.15.0	2008.04.17	Suspicious File
eTrust-Vet	31.3.5720	2008.04.21	-
Ewido	4.0	2008.04.21	Backdoor.Agent.gxg
F-Prot	4.4.2.54	2008.04.20	-
F-Secure	6.70.13260.0	2008.04.21	Backdoor.Win32.Agent.gxg
FileAdvisor	1	2008.04.21	-
Fortinet	3.14.0.0	2008.04.21	-
Ikarus	T3.1.1.26	2008.04.21	Trojan.Win32.Revelation
Kaspersky	7.0.0.125	2008.04.21	Backdoor.Win32.Agent.gxg
McAfee	5277	2008.04.18	-
Microsoft	1.3408	2008.04.21	TrojanDropper:Win32/Nuwar.gen!lds
NOD32v2	3043	2008.04.21	-
Norman	5.80.02	2008.04.18	-
Panda	9.0.0.4	2008.04.20	-
Prevx1	V2	2008.04.21	-
Rising	20.41.02.00	2008.04.21	-
Sophos	4.28.0	2008.04.21	Mal/Generic-A
Sunbelt	3.0.1056.0	2008.04.17	-
Symantec	10	2008.04.21	-
TheHacker	6.2.92.285	2008.04.19	-
VBA32	3.12.6.4	2008.04.16	Trojan.Win32.Revelation
VirusBuster	4.3.26:9	2008.04.21	-
Webwasher-Gateway	6.6.2	2008.04.21	Trojan.Crypt.XPACK.Gen

Fake video downloads and updates have been a pretty common theme for the Storm Worm folks for quite some time now.  This "news story" social engineering tactic is what Storm originally used to get most people infected back in January, 2007, so many people have already "been there, done that" which is likely why infection rates are staying pretty low.