Spammers have used scare tactics in the past, notably during the swine flu outbreak in 2009. A similar spam campaign using scare tactics was observed during the weeks leading up to April 1, 2010 as an expansion of the Conficker worm with the possibility of a major threat launch. Overall, scare attacks are meant to cause panic reactions among recipients who may, out of fear, click malicious links or download and install malicious code. Similar approaches have been observed recently, this time with a false epidemic alert. In this spam campaign trumpeting false epidemic news, spammers try to infuse fear in users and encourage them to read instructions to remain safe from infection.
Sample email subjects suggest there is an epidemic in nearly all countries in the world. However, in individual messages they only mention a single country. The list of countries found in sample messages include countries from Afghanistan to Iceland, Philippines to United States. Sample email also list individual US States, such as Kansas, Colorado, Mississippi, New Jersey, Virginia, and Washington.
Subject: Fwd: Epidemic in Afghanistan
Subject: Fwd: Epidemic in Alaska
Subject: Fwd: Epidemic in Algeria
Subject: Fwd: Epidemic in Andorra
Subject: Fwd: Epidemic in Anguilla
Subject: Fwd: Epidemic in Afghanistan
Subject: Fwd: Epidemic in Alaska
Subject: Fwd: Epidemic in Algeria
Subject: Fwd: Epidemic in Andorra
Subject: Fwd: Epidemic in Anguilla
Subject: Fwd: Epidemic in Australia
Subject: Re: Epidemic in Portugal
Subject: Re: Epidemic in Saint Barthélemy
Subject: Re: Epidemic in Saint Helena, Ascension and Tristan da Cunha
Subject: Re: Epidemic in South Sudan
Subject: Re: Epidemic in Sweden
Subject: Re: Epidemic in Syria
Subject: Re: Epidemic in Taiwan
Subject: Re: Epidemic in Tennessee
Subject: Re: Epidemic in Togo
Subject: Re: Epidemic in Tonga
Subject: Re: Epidemic in Trinidad and Tobago
Subject: Re: Epidemic in Turkey
Subject: Re: Epidemic in Tuvalu
Subject: Re: Epidemic in United Arab Emirates
Subject: Re: Epidemic in Venezuela
Subject: Re: Epidemic in Vermont
Subject: Re: Epidemic in Washington
Subject: Re: Epidemic in Wisconsin
Subject: Fwd: Re: Epidemic in United States
The email body informs users that the government is hiding the epidemic news. If users want to benefit from instructions on how not to get infected, they need to click the link provided in the email. This link leads users to a malware site.
The malicious file downloaded is detected as Trojan.Malscript. These files exploit vulnerabilities and may perform heap spraying.
Email users need to be aware of such scare tactics and avoid panic. Do not believe email from unfamiliar senders. We also recommend users not click links in any message without first verifying the source of the email and, importantly, do not install software downloaded from the internet unless it has been scanned for viruses. Please make sure your virus definitions are updated regularly.
See the Symantec Intelligence Report for best practice guidelines for consumers.