Beware of CNN Daily Top 10 scam email campaign

[Wiz Feinberg]

The owners of the Zlob Trojan Botnet are currently using an email template designed to look exactly like one sent by CNN to it's subscribers. It has the subject "CNN.com Daily Top 10" and the body has two panes full of links. The links on the left go to CNN stories. The "FULL STORY" or "VIDEO" links on the right all go to a Botnet infected zombie computer where a copy of the Zlob Trojan is pushed to you. Should your security settings prevent automatic installations you are offered the file manually, using the trick name get_flash_update.exe.

If you check the address of the sender you'll see that it did not claim to come from cnn.com at all, but from a random account name stolen by the Botnet's email harvester component. Mousing over the links without clicking them will reveal the real destination, which is not on cnn.com and usually ends with a file named index1.php (but this may change).

Please delete any such email scams that arrive in your inbox. If you have already fallen victim to this scam you need to disinfect your computer immediately. I recommend commercial security solutions with the latest definition updates. If you can't afford a commercial anti-malware solution, use Avira AntiVir, or AVG Free, or Avast! Free edition anti virus, or Spybot Search and Destroy anti-spyware.

As of today there are an estimated 14 million computers infected with a type of Zlob Trojan. All Zlobs come to you disguised as a "missing video codec" of some sort. Most of the current ones claim to be a "Flash" update needed to play a video news report. Only update your Flash player at Adobe.com! Do not allow Flash player updates from other sources!

[Wiz Feinberg]

The fake CNN email scams have evolved into a CNN Custom Alerts scam. If you receive an email with the subject - "CNN Alerts: My Custom Alert" - and if you are subscribed to CNN custom alerts, check the sender's address. If it does not show an account ending with @email.cnn.com it is a fake scam, containing links leading to Zlob Trojan downloads.

If you are not a CNN subscriber you should automatically delete these scams. If you are a subscriber always whilelist the full email address used by CNN to send these news briefs and delete all other senders claiming to be CNN.

[Jon Light (deceased)]

This was in my web based spam folder. I did click on it, saw what it was (with some grammatical errors to tip me off) and deleted it.

Is there any way I put myself in danger?

Here's the kicker----I am grievously infected. My XP home system has been taken over in strange ways that are clear but still allow me full web access. S&D tells me I've got SmitFraud and it tells me it has cleaned it up but it remains. I've disabled system restore and rescanned, re-cleaned up smitfraud and still.....

It also has destroyed system restore and screen saver, altered all system sounds and desktop appearance. When screen saver should kick in it gives me a blue screen warning and then goes into what appears to be reboot mode except that if I hit a key it turns out to be a fake reboot---everything is still up & online.

I am going to attempt a clean windows installation, maybe tomorrow. I also need a new hard drive (getting s.m.a.r.t. error messages for a long time) or maybe a new computer so I am considering totally wiping and starting fresh.

I googled and found other references to the exact messages and symptoms and the fixes were so intimidating to me that I don't even want to go there.

I've got a bunch more info on my symptoms but I've gotta go out and can't spend the time with this right now. It pisses me off because aside from the CNN email, I can't figure where and how I got suckered into this.......it seemed to happen shortly after a Youtube download that was listed here (Gene Clark) but nobody else has reported any issues.

Gaaaa.

[Jon Light (deceased)]

Pardon my confusion----in addition to the smitfraud, yes AVG has been battling zlob. All sorts of stuff's been happening. Unfortunately, in the process I've tried deleting stuyff, or on at least one occasion having to decide whether or not to accept a registry change that was either something I had done in my attempt to fight this or something the virus was doing---the results have been a mess including inability to boot up which I solved some way or another. But I've also had a rogue antivirus program running that was doing all sorts of stuff....I finally managed to disable it on startup but it's still lurking.

[Wiz Feinberg]

Jon;
I'm sorry you are having such a bad time with your PC. The infection you described sounds like Vundo (aka VirtuMonde), which is going crazy this month. Spybot S&D version 6.0.x uses special algorythms to detect and remove this threat, so, if your version of Spybot is anything less than 6.0, you need to update it ASAP.

After updating the version you must update all available definitions, immunize, then turn off System Restore and boot into safe mode. Login to the same account that you normally use, then run Spybot S&D from the desktop icon or start menu link.

You must update your program version and definitions before entering safe mode, because you'll be offline, for your own protection.

Scanning and removing malware is Safe Mode is more effective than Virtual Windows, because a lot of malware loads only in normal Windows startup. But, some malware runs as a "Service" and will start with Safe Mode. Happily, you can Stop any Service, by right-clicking on My Computer, selecting Manage > Services. Find the Service identified by Spybot after it has finished scanning and double click to open it, then click on Stop, then on Disabled, for the Startup Type. Make sure you get the right Service, or you may disable a necessary one.

Finally, if you want to fight it out without reinstalling everything, visit http://www.spywareinfoforum.com/ - sign up for a user account, read the rules, then post a new request for help. Do not hijack anybody else's thread! Post exactly what you are asked to and watch for a reply from a trained malware removal volunteer. Follow his/her instructions to the letter and your computer will be freed from any infections detected during scans and posted reports.

Note, that you must download and prepare to use HijackThis, which is available from Trend Micro. While you are there please also download and install either RUBotted, or their Web Protection Add-on 1.2. Trend Micro's HouseCall is free to use for online virus cleaning and can be downloaded to your computer for offline cleaning of threats found by one of the previously mentioned add on's. It either uses ActiveX or Java to scan your files and can be run from Internet Explorer (ActiveX), or Firefox (with Java).

[Jon Light (deceased)]

Thanks, man
Do you mean S&D 1.6? That's what I've got. And I've done all the safe mode stuff.

I think that forum is what I found with google and all the following the instructions to the letter and the hijack this stuff-----I just don't perform well in that situation. My loss, for sure. But reading the step by step stuff there just made me want to run away.

I can't find the culprit in manage/services. Don't know what it is. But in my two day battle with this it seems that every time I try to grapple with it, it is one step ahead of me and penalizes me for trying to cut its balls off. This is why I think I need to blow up the whole deal and start over. The good news is that I've got everything important backed up in and external drive. Not a mirror copy, though---just a lot of files.
My temptation is to order a super cheap Dell a replacement drive for this, get the Dell up and running and then install the new drive and a clean install.

THIS FOLDER: rhce7aj0egdr

in program files seems to be the culprit. If I click on the folder I get an AVG alert.
Right now I am tip-toeing around the bugger.

And again---how was I stupid enough to get bit? Damn.

[Wiz Feinberg]

THIS FOLDER: rhce7aj0egdr

in program files seems to be the culprit. If I click on the folder I get an AVG alert.

Jon;
If that is where the bad guy lives there is a way to take him out, but it is technical. To remove this folder without any interference from the virus you will need to take the fight to the Recovery Console level. You must have your Windows XP CD on hand and it must contain the same service pack as is currently installed on your computer. You will also have to follow instructions to edit a particular Registry key. If you wish to do this let me know in a reply.

[Jon Light (deceased)]

ok--I'm back from the gig....hey, Wiz. Thank you very very much for the assistance. But I'll have to decline and here's why----I don't trust myself to remember everything that I've done up to now that may have altered or worsened the situation. I did some possibly foolish, rash things that caused bad stuff to happen and it was through sheer luck or savantism that I dug my way out. There are also a bunch of other symptoms that I haven't listed and there are other variants of that file name--one is an .exe---I think that's the 'antivirus' program---and another is something else that I think relates to screen saver. And who knows what-all else.
So I'm not at all confident that I can provide you with adequate and complete enough info to enable you to properly help me.
Oh good---a CNN custom alert just came in on my Outlook Express while I'm writing this.. Think I should open it and click on some stuff?

Also, I have the original xp disk that came with this Dell but for the SP2 that I believe has been downloaded I have nothing in the way of hard copy.
Looks like I'm going to go ahead and replace this hard drive (which needs doing anyway) and start from scratch.

Thanks again.