Another ecard twist

In the last hour, another huge ‘ecard’ spamming run has been detected by SophosLabs. Aside from the usual ecard-related social engineering, some of the messages now masquerade as links to YouTube videos, for example:

nd1

nd2

Of course, the links are not to YouTube, but to the IP address of compromised machines. Clicking on the link will load a web page containing the usual embedded malicious script and manual link to the Dorf malware, for example:

nd3

Happily, the malware involved is proactively detected as Troj/JSXor-Gen (malicious script) and Mal/Dorf-E (Trojan intended to be installed) so there is no need for a detection update to be pushed out at this time.