Websense Security Labs Alert: Air France plane crash
June 2009 by Websense
Websense® Security Labs ThreatSeeker Network has detected a new malicious spam campaign pretending to deliver legitimate news updates about the Air France plane crash.
The spam campaign is in Portuguese, and includes a link to view the first videos from the crash site. The link to the video leads to a Trojan Downloader file named: Video_AirFrance_447.com. If a user runs the file, it downloads a malicious executable file masquerading as an image from [removed].org/imgs/like2.jpg. The malware registers a password-stealing BHO component on the system masquerading as a McAfee SiteAdvisor component with this GUID:9387b8b2-5508-11de-8729-c56f55d89593.
The GUID is linked to the malicious installed DLL file named mcieplg.dll under the system32 directory (%windir%\system32\mcieplg.dll). AV detection rates on this file are very low.