Malicious spammers are really striking while the iron is hot, so to speak.

Less than a day after spammed messages containing links claiming to point to news related to the recent Russian-Georgian conflict, another spam run bringing malware was found by the Trend Micro Content Security Team.

Below is an example of the latest spam:

The attached file Georgia.zip is a password-protected .ZIP file. Setting a password to enable access to file prevents the scanning function of email applications to scan the attachment for malicious content. In this case, detection was made for the .ZIP file itself to protect the users even before they access the file’s content. The .ZIP file is detected by Trend Micro as WORM_DLOAD.RAR.

When accessed through the password also contained in the email message, the .ZIP file is seen to contain the file Joined.exe. This file on the other hand is detected as TROJ_DLOADER.UAF:

Upon execution, TROJ_DLOADER.UAF then connects to an yet another host, and downloads additional components — specifically, a rogue antivirus (TROJ_FAKEALRT) variant that display fake warnings of a malware infection. It attempts to trick the victim into buying a fake antivirus program to eliminate the malware which is supposedly affecting the system. This obviously leaves the victim with a fake antivirus program which was never necessary in the first place, and less money.

Users are now protected from this attack by the Trend Micro Smart internet security protection Network.

The recent Russia-Georgia conflict caused a worldwide stir as Russian troops reportedly invaded certain areas of Georgia, injuring numerous civilians. The said invasion was later concluded, with Russia withdrawing their troops from Georgian soil.

News items such as this is one of the “facades of choice” by malware authors, promising information on recent events to entice users to click on malicious links. Just this month, fake news alerts purporting to be sent by CNN were repeatedly used by spammers and malware authors to distribute their handiwork: