Worm Alert!

We are currently seeing high volumes of a new spam run that contains a link to an pornographic web site that contains an ActiveX malware component.  Our Threat Operations Center started seeing these messages at about 6am today and thus far we have received over 8 million of them (accounting for over 85% of our worm traffic over the past 24 hours).  From what we can tell thus far the malware appears to be related to the Srizbi botnet.

There is no specific lure here as the subject lines to these messages are fairly random, but are trying to generate interest based on fake news stories.  Here are some example subject lines that we have seen so far:

Batman latest movie bombs at box office
Britney found hanged in locker room
Celtics disqualified from NBA title
China Earthquake claims 1 million lives
Dan Brown's latest novel
David Cook American Idol - latest NEW single
Donald Trump missing, feared kidnapped
Egypt Giza pyramids rocked by massive earthquake
Eiffel Tower damaged by massive earthquake
Eiffel Tower suffers structural damage, collapse possible
Find out about Harry Potter's last novel
Ford unveils latest 2 door design hatch
Get Smart -- movie premiere
Get star wars photos
Get the latest discount plan from Ford Cars
Great Wall of China damaged by earthquake
Hiliary admits past failures
Hillary Clinton reveals husband's scandal secrets
Italy knocked out of Euro 2008
Las Vegas Hotel caught in fire
Lastest! Obama quits presidential race
London rocked by gas attack, army on high alert
Love Guru sneak previews here
Man wakes up from 40 year coma
Nokia unveils revolutionary new phone design
Obama suffers setback in polls due to sex secrets
Obama withdraws from elections
Oprah found sleeping the streets
Osama Bin Laden caught finally
Paris Hilton found to be gay
Saddam Hussein found dead
Star Trek star dies at age 79
Statue of Liberty struck by lightning, catches fire
Stonehenge damaged by massive earthquake
Top 10 movies of all time
Top comedy downloads
Top film from the Cannes
Turner Empire poised for bankruptcy file
Usher and Rihanna making out
Watch movie premieres now
White House hit by lightning, catches fire
Windows Vista URGENT upgrade installation

The messages themselves are one liners followed by a link to a YouTube look alike site called PornTube where the user is prompted to install a malicious Active X control.  Most of the links that we have seen thus far point to a file named r.html at the end if the URL such as (obfuscated since most are still hosting active malware at the time of this posting):

hxxp://envol-restaurant.com/r.html

hxxp://spizarnia.nazwa.pl/r.html

hxxp://wandea1.wandea.org.pl/r.html

Upon visiting these sites you will see the PornTube site in the background and you get the following popup window:

If you click OK, the ActiveX control is installed and your PC is infected, however clicking the Cancel button displays this popup:

At this point you can get yourself into an endless loop of clicking the OK button on this window and the Cancel button on the previous window.  The only way out of this (in Windows) is to kill your browser window via the Task Manager (or infect yourself, but let's assume that you don't really want to do that :) ).

Keep on the lookout for these as they are currently being distributed in fairly high volumes. 

*** UPDATE 6/20/2008 12:00pm MDT *** After volumes peaking at about one million instances of this worm being seen per hour, as of early this morning it has dropped off to only about 5 thousand per hour.  Looks like this one hit quick and is now tailing off.