Barack Obama and Trojan.Script.Iframer
People have been reporting spam e-mail linking them to:
It turns out to be a anti-Obama website; they make fake claims such as
"Barack Obama's inauguration that was planned on 20th January 2009 is under the threat of failure. On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy"
However, the owners of the site make it look legitimate by using the same layout as the real Obama site; only with different stories, such as the one mentioned above.
And, the site attempts to save a file called "barackblog.exe" or "obamanews.exe" on your system through an exploit known as Trojan.Script.Iframer, by Kaspersky Labs. The file was detected as W32.Waledac by Norton.
Waledac, according to Symantec, is a mass e-mail worm.
Do you see a cycle? Someone created the anti-Obama site, used the e-mail worm to attract views and gain popularity, and a user at Wilders Security Forums reported it in their e-mail.
After visiting the site again today, it attempted to download another sample called "statement.exe". It appears that the site has a list of authentic sounding filenames.
After unsuspecting users execute the file, a process is created, corresponding to the file name. There is no major system slowdown.
VirusTotal coverage is high. ThreatExpert report: