Attackers finds another new way to spread Trojan and other malicious code over the internet. This time they are using Google’s Social networking web site Orkut to spread the Trojan. The email is spoofed, appearing to be from the domain Google for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions.
According to security firm Websense
The message contains several links that appear to lead to the official Orkut Web site. Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named ‘imagem.exe. The malicious file opens the legitimate Orkut network log-in page, and in the background downloads a password stealing Trojan named ‘msn.exe
From the above screenshot it can be easily found that the links are linked to an EXE file named "regulamento_orkut.exe" this is a Trojan file (SHA1: 8eb1366d580aeab38d00a5c32835006c3648b8f3). This EXE file is rarely detect by your antivirus software. After the successful run it downloads another malicious file, "fox.exe" (SHA1: 8e1df3d55a778550affea7c5216e58a55beaf979), from the same site. The file copies itself to multiple locations on the infected machine with different names. It also adds itself to startup, and monitors browser activities with the intent to steal user information.
Source : Orkut "Account Usage Notification" Malicious Spam
