Websense® Security Labs(TM) has received reports that a new email
campaign is spreading that attempts to lure users into downloading
malicious code. It appears as though the same group that was behind the
widespread attacks July 4th, that used greeting card lures to spread,
are behind this also. The July 4th greeting card had more than 250
sites that were hosting a variety of malicious code.  The websites are
using the exact same JavaScript obfuscation technique and exploit code
as the greeting card run also.

All emails use URL’s that send
users to an IP address that will attempt to exploit the users if there
browsers are vulnerable. If the browser is not vulnerable the exploit
code will not work, however the page will attempt the user to download
a file called patch.exe by displaying a message “If your download does
not start in approximately 15 seconds click here to download”.

The
theme of the new email campaigns are based around a new patch that is
available for users who may have been infected with a recent Worm.

Subject lines we have seen so far are:

* Virus Detected!
* Trojan Alert!
* Worm Alert!
* Worm Activity Detected!

Assuming
users are running vulnerable browsers, several files will be downloaded
and run on their machines and Trojan Horses will be installed. As in
the July 4th greeting card attacks their are several versions of the
code that are being uploaded by the attackers in order to thwart
detection.

Additional details and information