Today our lab has detected a flood of spam messages that contain a malicious link from which malware is downloaded. We’ve seen more than 8,000 in a few hours.

These emails have the following subjects:

Fw:

FW:

Re:

RE:FW:

Re:Fw:

RE:

The content of these messages is just a link to a website. The following are some examples:

http://anonym<blocked>files.reda.co.kr/archive0714/?id=email@domain.com

http://archiv<blocked>edv.kr/archive0714/?id=email@domain.com

http://filearch<blocked>redb.or.kr/archive0714/?id=email@domain.com

http://files.re<blocked>co.kr/archive0714/?id=email@domain.com

http://files4friend<blocked>s1e3eq.co.uk/archive0714/?id=email@domain.com

http://incogni<blocked>reda.ne.kr/archive0714/?id=email@domain.com

http://postca<blocked>yrxc.kr/archive0714/?id=email@domain.com

http://secretarc<blocked>redn.kr/archive0714/?id=email@domain.com

http://secretfi<blocked>yrxo.co.kr/archive0714/?id=email@domain.com

http://sendsp<blocked>yrxs.co.kr/archive0714/?id=email@domain.com

If you click the link included in the message, you’ll be redirected to a website that requires you to download and install a fake Flash Player update in order to view the website:

FlashPlayer

If you click the icon “Get Macromedia Flash Player”, a file called UPDATE.EXE will be downloaded to the computer. This file is not the latest version of Flash Player but a Trojan detected as Sinowal.WWY, which is designed to obtain information, like passwords, usernames or other confidential information.

Pay attention to the emails you receive in your inbox and if any of them is like this, just delete it.