CDC / H1N1 Vaccination Scam Infects Victims
On December 1, 2009 attackers began sending email disguised as correspondence from the Centers for Disease Control (CDC). The email claims an H1N1 vaccination registration is required. Those who comply with the request won't be registering with the CDC - instead they will be infecting their computer with a version of the Banker trojan, which steals usernames and passwords from your online banking sessions.
Following is a description of the bogus CDC H1N1 email and the scam websites involved in the Banker trojan distribution.
Bogus "From" Address:
Centers for Disease Control and Prevention
Subject Lines:
~ Governmental registration program on the H1N1 vaccination
~ Creation of your personal Vaccination Profile
~ State Vaccination H1N1 Program
Message Body:
You have received this e-mail because of the launching of State Vaccination H1N1 Program.
You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:
Malicious Links:
The email then contains the linked text "create personal profile".
The actual links vary between the different versions of the fake CDC H1N1 email. Observed links have included:
http://online.cdc.gov.yttt4r.co.im
http://online.cdc.gov.nyugewm.be
http://online.cdc.gov.yhnbad.com
Malicious Website:
The website used in the malware scam contains the following text:
Your Personal H1N1 Vaccinating Profile is an electronic document, which contains your name, your contact details and your medical data (what kind of illnesses you have sustained in your childhood or what kind of allergy you have to some certain drug). All instructions you need are included in the archive below:
The "archive" link points to a file named 'vacc_profile.exe'. Windows users who do not have file extension viewing enabled will see the filename simply as 'vacc_profile'.
Banker Trojan Details:
Not all antivirus software is able to detect this new variant of the Banker trojan, as seen in this VirusTotal report.. For a description of what changes the Banker trojan makes to your system, see this ThreatExpert report.