John Howard 'heart attack' used to lure surfers.
Security experts have warned of a virus being distributed via email claiming that the Australian prime minister has had a serious heart attack.
The malware may have come from home-grown Australian virus writers, since the initial distribution is largely confined to email addresses in Australia.
The email reads: 'SYDNEY, February 18, 2007 08:56pm (AEDT) - The Prime Minister of Australia, John Howard have [sic] survived a heart attack.
'Mr Howard, 67 years old, was at Kirribilli House in Sydney, his prime residence, when he was suddenly stricken. Mr Howard was taken to the Royal North Shore Hospital where the best surgeons of Australia are struggling for his life.'
The email contains a link to a website containing malicious code, and forwards recipients to an error page for The Australian newspaper to persuade users that they have found a dead link.
"It seems that the hackers are back to their old tricks of spamming out sensational headlines in the hope that computer users will forget to think before they click, and visit the website hosting the malicious code," said Graham Cluley, senior technology consultant at Sophos.
"The scammers have registered several domain names that appear to be associated with The Australian newspaper, and have gone to great effort to make people think that they really are visiting the genuine site by pointing to the real error page.
"Everyone should be on their guard against this kind of email con-trick, or risk having their PC infected."
Websense A/NZ country manager Joel Camissar said the trojan, formed by several different components, monitored, tracked and keylogged access to webpages and contained a special module for phishing use.
As at 9am EST time, there were more than 2500 infected victims including Westpac and Commonwealth Bank, he said.
According to Camissar, the trojan also installs a Web server on the affected machine allowing the attacker to access that machine every time it is online.
This was achieved via a control panel through which the hacker had a full list of all the infected machines including IP address, country, ports to access the machine to using different protocols, and even a link to google maps which will exactly point out where that IP is located.
"[This] is a significant alert due to the local nature of the threat, the cynical use of a false report of a heart attack from the PM to trick users to click on a phishing email," he said.
"It is the first time that google maps are being used in a seemingly voyeuristic way to pinpoint the location of each infected PC."
Virus writers use a variety of social engineering techniques to get users to open attachments or visit specific web pages, and current events are very much in fashion.
Recent examples have included Valentine's Day, the European storms and Christmas.