Skip navigation.

Barack Obama and Trojan.Script.Iframer

People have been reporting spam e-mail linking them to:


It turns out to be a anti-Obama website; they make fake claims such as

"Barack Obama's inauguration that was planned on 20th January 2009 is under the threat of failure. On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy"

However, the owners of the site make it look legitimate by using the same layout as the real Obama site; only with different stories, such as the one mentioned above.

And, the site attempts to save a file called "barackblog.exe" or "obamanews.exe" on your system through an exploit known as Trojan.Script.Iframer, by Kaspersky Labs. The file was detected as W32.Waledac by Norton.

Waledac, according to Symantec, is a mass e-mail worm.

Do you see a cycle? Someone created the anti-Obama site, used the e-mail worm to attract views and gain popularity, and a user at Wilders Security Forums reported it in their e-mail.



After visiting the site again today, it attempted to download another sample called "statement.exe". It appears that the site has a list of authentic sounding filenames.

After unsuspecting users execute the file, a process is created, corresponding to the file name. There is no major system slowdown.

VirusTotal coverage is high. ThreatExpert report:

It's not an "ANTI-OBAMA

It's not an "ANTI-OBAMA SITE". It's a site to make people download malware...

False Claims

False claims and propaganda. When did Barack ever say that he felt "unqualified" for the Oval Office? The malware is there to complete the loop by sending spam e-mails.

Norton AntiVirus 2009

today i dlded file as

today i dlded file as "onlyyou.exe" & there- at website are where nice Hearts picture. also saved it:)


hey, thanks for this fun

hey, thanks for this fun crypted malware!
it does fun call second time to new_EIP from KERNEL32.dll
also new is: it unmaps self_mapview & again allocates memory at Base address.
inside is UPX-packed executable, i uploaded:


btw, as i see now, filename changed to "you.exe"

Thanks your for analysis

Thanks again. The Waledac worm is getting quite a bit of coverage ... another blog post about someone tracking it.

As for UPX, that packer is way too commonly used.

Norton AntiVirus 2009

My theory about UPX is that

My theory about UPX is that it's the only one that really works consistently, therefore it gets used the most.