Pushdo is at it yet again, this time spamming out emails claiming to be from the Center for Disease Control and Prevention. The email states that the State is launching an H1N1 (Swine flu) Vaccination program and asks that you create a "Vaccination Profile" on their website.
Some of the subject lines we have seen are:
Create your personal Vaccination Profile
Creation of personal Vaccination Profile
Creation of your personal Vaccination Profile
Governmental registration program on the H1N1 vaccination
Instructions on creation of your personal Vaccination Profile
State Vaccination H1N1 Program
State Vaccination Program
Your personal Vaccination Profile
As with many past Pushdo/Zeus campaigns, the link URL follows a familiar format. A legitimate domain, in this case online.cdc.gov, is used as sub-domains of several random looking domains. For example in this case we have:
online.cdc.gov.yttt4l.co.im/h1n1flu/profile.php
online.cdc.gov.yhnbak.net.im/h1n1flu/profile.php
online.cdc.gov.yhnbad.co.im/h1n1flu/profile.php
online.cdc.gov.nyugewy.be/h1n1flu/profile.php
We have seen over 30 domains hosting the page below:
The page provides a link to your Vaccination profile which is in an archive. This is in fact a link to the executable file vacc_profile.exe, which turns out to be the Zeus/Zbot Trojan horse. This has a very low detection rate among antivirus software.
