Always eager to capitalize on the mobid curiousity of the general public, here’s a warning from the http://isc.sans.org/index.php SANS Internet Storm Center:
We received several reports of an email circulating with links to a news article that came with a surprise if you followed the links. DO NOT GO TO THE FOLLOWING LINKS or any others from this site that may be sent to you!!!
(Links mangled to prevent careless clicking -ed)
www.jsn###.vbnnews.com
www.iep###.vbnnews.com
www.jxd###.vbnnews.com
www.nev###.vbnnews.comEach of the emails seem to have different links in them but associated with the same site.
The subject of the email is “Iraq Bombinng – 140 marines killed” or something similar to it. Yes the misspellings are from the actual email and there are many other discrepancies and misspellings in the version that we have seen.
[…]
Once you click on the link, you get their news article, but you also set off a series of events that require no interaction from the user.First off, there is an exploit on the page that takes advantage of MS05-001 (Vulnerability in HTML Help Could Allow Code Execution) which is just another cross-domain scripting vulnerability. This allows you to get a file called ppp.hta from their website and is then launched on your local harddrive. This then creates a file called netlog.exe and and this appears to be launched on your local hard drive by using a combination of an ActiveX FileSystemObject and shell. Netlog.exe then goes and gets another file called win32sba.exe, which is Robobot variant. Now your system can be used for what ever malicious intent the folks who set this scheme up had in mind.
The moral of this story is……Don’t follow the link!!!!!