As you can the displayed link (HTML) does not match the actual one pointing to a PHP script on another server.
If the user enters the first HTML link, he will see the News of April 2010 about the video and will effectively download a pornographic WMV file but without pedophile content.
On the other hand, if the user clicks, the PHP file is executed and an executable file called video-do-padre-pedofilo-fazendo-sexo-com-menor-mwv.exe is downloaded and which is identified by some antivirus as a Trojan.
The file is hosted on a compromised server that has been previously modified (deface):
On the server you can find many directories (around 20) and files that are currently being used to spread the mentioned malware:
All files have been created on the day of the date and will surely be used during these days to maximize the number of infected users.Thank you Alejandro for the email report!
Cristian from the Segu-Info Newsroom
- Publicidad -
