This email poses as msnbc.com: BREAKING NEWS from Microsoft. If we hover over the Find out more at: ... link, we see the link to the "bad" website.

Now, someone did screw up things badly because we are seeing the Breaking News Videos from CNN instead of msnbc.

Same story, Video ActiveX error mixed to Flash player upgrade. The page contains some obfuscated code to force the install of the fake codec. We are redirected to

i56web.org:8080/xp/index.php
i56web.org:8080/xp/bin/file.exe

File.exe is the same file as adobe_flash.exe which you will get if you click on the links in the page. Notice the Close the page button. Don't hit that button, as you will be redirected to a fake online scanner at asvoo.org

Redirects.

asvoo.org/antivir/
www.statcounter.com/counter/counter.js

The spam belongs to the Trojan-Downloader.Win32.Exchanger family.

<h4></h4>
Filename: adobe_flash.exe

Additional information
File size: 74752 bytes
MD5...: 61229aa4f0bb47a80df0b1026cb30fe9
SHA1..: 8a1d2cbef4354f27c7b44af1d63bfdcae3c1fa70
SHA256: 2fb8a4ecb561475b52883b535ce9810e6021ebe666e16e89cbbc86018d153547
PEiD..: -

QUOTE

File adobe_flash.exe received on 08.13.2008 19:25:22 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.8.13.0 2008.08.13 -
AntiVir 7.8.1.19 2008.08.13 -
Authentium 5.1.0.4 2008.08.13 -
Avast 4.8.1195.0 2008.08.13 -
AVG 8.0.0.161 2008.08.13 I-Worm/Nuwar.W
BitDefender 7.2 2008.08.13 Trojan.Downloader.Exchanger.Gen.2
CAT-QuickHeal 9.50 2008.08.13 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.13 -
DrWeb 4.44.0.09170 2008.08.13 -
eSafe 7.0.17.0 2008.08.13 Suspicious File
eTrust-Vet 31.6.6030 2008.08.13 -
Ewido 4.0 2008.08.13 -
F-Prot 4.4.4.56 2008.08.13 -
F-Secure 7.60.13501.0 2008.08.13 -
Fortinet 3.14.0.0 2008.08.13 -
GData 2.0.7306.1023 2008.08.13 -
Ikarus T3.1.1.34.0 2008.08.13 -
K7AntiVirus 7.10.413 2008.08.13 -
Kaspersky 7.0.0.125 2008.08.13 -
McAfee 5359 2008.08.12 -
Microsoft 1.3807 2008.08.13 TrojanDropper:Win32/Nuwar.gen!ldt
NOD32v2 3352 2008.08.13 a variant of Win32/Agent.ETH
Norman 5.80.02 2008.08.13 -
Panda 9.0.0.4 2008.08.13 -
PCTools 4.4.2.0 2008.08.13 -
Prevx1 V2 2008.08.13 Malware Dropper
Rising 20.57.22.00 2008.08.13 -
Sophos 4.32.0 2008.08.13 Mal/EncPk-DA
Sunbelt 3.1.1542.1 2008.08.13 -
Symantec 10 2008.08.13 -
TheHacker 6.3.0.3.046 2008.08.13 -
TrendMicro 8.700.0.1004 2008.08.13 -
VBA32 3.12.8.3 2008.08.13 -
ViRobot 2008.8.13.1335 2008.08.13 -
VirusBuster 4.5.11.0 2008.08.13 -
Webwasher-Gateway 6.6.2 2008.08.13 Worm.Win32.Malware.gen (suspicious)

Kaspersky: Trojan-Downloader.Win32.Exchanger.nb

<h4></h4>
i56web.org - asvoo.org - 200.46.83.233

Website Title: 403 Forbidden
Created: 2008-08-01
Expires: 2009-08-01
Whois Server: whois.pir.org

Server Type: nginx/0.5.35
IP Address: 200.46.83.233
IP Location - Panama - Net2net Corp

Whois Record
Domain ID:D153502129-LROR
Domain Name:I56WEB.ORG
Created On:01-Aug-2008 15:36:38 UTC
Expiration Date:01-Aug-2009 15:36:38 UTC
Sponsoring Registrar:Cronon AG Berlin Niederlassung Regensburg (R110-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:OWN10610-ABC
Registrant Name:Lffelhardt Katharina
Registrant Organization:CKL-Unternehmensberatung K.Lffelhardt
Registrant Street1:am Erlenbach 4
Registrant Street2:
Registrant Street3:
Registrant City:Ueberlingen
Registrant State/Province:Germany
Registrant Postal Code:88662
Registrant Country:DE
Registrant Phone:+49.755194994922
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:
Admin ID:KL237-ABC
Admin Name:Lffelhardt Katharina
Admin Street1:am Erlenbach 4
Admin Street2:
Admin Street3:
Admin City:Ueberlingen
Admin State/Province:Germany
Admin Postal Code:88662
Admin Country:DE
Admin Phone:+49.755194994922
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:
Tech ID:HR151-ABC
Tech Name:Hostmaster Strato Rechenzentrum
Tech Organization:Cronon AG Professional IT-Services
Tech Street1:Emmy-Noether-Str. 10
Tech Street2:
Tech Street3:
Tech City:Karlsruhe
Tech State/Province:Germany
Tech Postal Code:76131
Tech Country:DE
Tech Phone:+49.72166320305
Tech Phone Ext.:
Tech FAX:+49.72166320303
Tech FAX Ext.:
Tech Email:
Name Server:SHADES04.RZONE.DE
Name Server:DOCKS11.RZONE.DE
______________________________

youasia.net - 66.199.231.178

Website Title: None given.
ICANN Registrar: ENOM, INC.
Created: 2007-11-26
Expires: 2008-11-26
Updated: 2007-11-27
Registrar Status: ok
Name Server: NS31.HOSTGATOR.COM (has 427,280 domains)
Name Server: NS32.HOSTGATOR.COM
Whois Server: whois.enom.com

Server Type: Apache/2.2.3 (CentOS)
IP Address: 66.199.231.178
IP Location - New York - New York - Ezzi.net

Whois Record
Registration Service Provided By: Hostgator.com
Contact:
Visit: .www.hostgator.com/domains

Domain name: youasia.net

Administrative Contact:
Hostgator.com
Brent Oxley ()
+1.8669642867
Fax: 11
11251 nw freeway suite 400
houston, 77092
US

When dealing with malware, redirects, hacked websites, etc ... some ISP & webhosting are really slow to reply to complaints. Did they hear my complaint about messing up ... ... Uhmm dunno but we've got the "correct page" now.

The Close page button is still present, in some cases when clicking on it you might get the following warning:

This time we are redirected to i56web.org/antivir/. As seen above they share the same IP anyways.

A small note on 66.199.231.178 - youasia.net

This IP is hardcoded into the binary and uses a secure connection (port 443). The established link is used to post information about OS version, geo location etc ...

Thx to Malekal_morte for the updated link, his mail addy got p0wn3d before mine.