Home Malware Programs Trojans MSNBC.com - Breaking News

MSNBC.com - Breaking News

Posted: August 14, 2008

MSNBC.com - Breaking News, similar to CNN.com Daily Top 10 and CNN Alerts: My Custom Alert is a spam email created by hackers intended to look like it was sent by MSNBC.com. 'MSNBC.com - Breaking News' email poses as a notification email that says:

"BREAKING NEWS: Millions of credit card numbers stolen from bank database, find out if you are affected

Find out more at http://breakingnews.msnbc.com.."

If you click on the hyperlink breakingnews.msnbc.com, you will not be taken to msnbc.com, but instead you'll be redirected to a rogue website where a screen will appear informing you that the Flash player you have has to be updated.

Once you decide to download the Flash player's latest version, you will be downloading abobe_flash.exe file, which is, in reality, a Trojan Downloader. If the Trojan Downloader is installed, it will open a loophole in your computer system through which additional malware and rogue anti-spyware programs (such as, Antivirus XP 2008) will be installed. Beware of emails that have the following email subjects:

msnbc.com - BREAKING NEWS: Millions of credic card numbers stolen from bank database, find out if you are affected
msnbc.com - BREAKING NEWS: Time Warner sells AOL
msnbc.com - BREAKING NEWS: Americans loves to sue people
msnbc.com - BREAKING NEWS: How to save money on gas

To click and download files that are associated with "MSNBC.com - Breaking News" email may lead to a Trojan Downloader infecting your machine which may modify your Windows Registry, cause the "Blue Screen of Death" screensaver to appear, and display a flood of popups and fake system alert messages.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg
    2 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine
    3 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun
    4 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
    5 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
    6 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
    7 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
    8 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllUsers
    9 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurrentUser
    10 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
    11 c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Packages
    12 c:\Program Files\rhcnkrj0etfg
    13 c:\Program Files\rhcnkrj0etfg\database.dat
    14 c:\Program Files\rhcnkrj0etfg\license.txt
    15 c:\Program Files\rhcnkrj0etfg\MFC71.dll
    16 c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
    17 c:\Program Files\rhcnkrj0etfg\msvcp71.dll
    18 c:\Program Files\rhcnkrj0etfg\msvcr71.dll
    19 c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
    20 c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe.local
    21 c:\Program Files\rhcnkrj0etfg\Uninstall.exe
    22 c:\WINDOWS\system32\blphcjkrj0etfg.scr
    23 c:\WINDOWS\system32\CbEvtSvc.exe
    24 c:\WINDOWS\system32\drivers\54c70b2e.sys
    25 c:\WINDOWS\system32\lphcjkrj0etfg.exe
    26 c:\WINDOWS\system32\phcjkrj0etfg.bmp
    27 c:\WINDOWS\system32\pphcjkrj0etfg.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispBackgroundPage"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispScrSavPage"HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen SaverHKEY_LOCAL_MACHINE\SOFTWARE\rhcnkrj0etfgHKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVCHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\54c70b2eHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvcHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVCHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54c70b2eHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SMrhcnkrj0etfg"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "lphcjkrj0etfg"HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}rhcnkrj0etfg

One Comment

  • Ivonne Halliwell says:
    March 29, 2012 at 8:37 pm

    Andrea Ramirez , Ms. Encina, Ms. Holt, C. George and all the other employees have committed fraud. I hope everyone who has been scammed, defrauded or taken advantage of needs to contact the FBI and provide information, phone numbers, names ..... anything and everything possible.

Loading...