The malware may have come from home-grown Australian virus writers, since the initial distribution is largely confined to email addresses in Australia.
The email reads: 'SYDNEY, February 18, 2007 08:56pm (AEDT) - The Prime Minister of Australia, John Howard have [sic] survived a heart attack.
'Mr Howard, 67 years old, was at Kirribilli House in Sydney, his prime residence, when he was suddenly stricken. Mr Howard was taken to the Royal North Shore Hospital where the best surgeons of Australia are struggling for his life.'
The email contains a link to a website containing malicious code, and forwards recipients to an error page for The Australian newspaper to persuade users that they have found a dead link.
"It seems that the hackers are back to their old tricks of spamming out sensational headlines in the hope that computer users will forget to think before they click, and visit the website hosting the malicious code," said Graham Cluley, senior technology consultant at Sophos.
"The scammers have registered several domain names that appear to be associated with The Australian newspaper, and have gone to great effort to make people think that they really are visiting the genuine site by pointing to the real error page.
"Everyone should be on their guard against this kind of email con-trick, or risk having their PC infected."
Websense A/NZ country manager Joel Camissar said the trojan, formed by several different components, monitored, tracked and keylogged access to webpages and contained a special module for phishing use.
As at 9am EST time, there were more than 2500 infected victims including
Westpac and the Commonwealth Bank, he said.
According to Websense, the trojan also installs a Web server on the affected machine allowing the attacker to access that machine every time it is online.
Through a control panel, the hacker has a full list of infected machines including IP address, country, ports to access the machine using different protocols, and a link to Google Maps to pinpoint where that IP is located, the company said.
"[This] is a significant alert due to the local nature of the threat, the cynical use of a false report of a heart attack from the PM to trick users to click on a phishing email," Camissar said.
"It is the first time that google maps are being used in a seemingly voyeuristic way to pinpoint the location of each infected PC."
Virus writers use a variety of social engineering techniques to get users to open attachments or visit specific web pages, and current events are very much in fashion.
Recent examples have included Valentine's Day, the European storms and Christmas.
(With reporting from Tim Lohman, iTnews.com.au)
Virus writers target Australian PM
By Iain Thomson on Feb 20, 2007 8:59AM