Cisco Security Intelligence Operations has significant activity related to spam e-mail messages that claim to contain a video that may contain illegal content for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment to view the details of the video. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.
Your video may have content that is owned or licensed by Music Publishing Rights Collecting Society.
No action is required on your part; however, if you are interested in learning how this affects your video, please open attached file with Content ID Matches section of your account for more information.
Sincerely,
– The YouTube Team
E-mail messages that are related to this threat (RuleID4583 and RuleID4583KVR) may contain the following files:
Content_ID914824_Matches.zip
Content_ID_Matches.avi.exe
Curriculum-2012_4962.zip
Curriculum-2012.exe
Fake Infringing Video Content E-mail Messages on
AntiVir
BDS/Androm.EB.8
DrWeb
BackDoor.Andromeda.22
ESET NOD32
Win32/TrojanDownloader.Wauchos.A
Kaspersky
Trojan-Downloader.Win32.Andromeda.bm
Symantec
Backdoor.Trojan
The andromeda bot is able to reload more malware and data spying.
This sample sends data to folgener ip:
178.208.76.141
Host: tanheaven.co.uk
or
Host: a9h23nuianowj12.com
folgener autostart entry is created:
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion policies Explorer Run
49942
unicode
C: DOCUME ~ 1 ALLUSE ~ 1 LOCALS ~ 1 Temp msyygru.bat
https://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=26953
