The flu spam mail directs recipients to a spoof CDC website where they are asked to download a 'vaccination archive', purporting to be a document that they can use to fill out their profile information. Appriver said that the document delivers a malware dropper called XPack or Kryptic. McAfee said that the document delivers a very recent version of the Zeus banking trojan.
McAfee's Threat Avert Labs said that VirusTotal tested the new trojan variant against several anti-virus engines, and found that only seven out of 41 detected it. The low detection rate, along with the general public panic over the H1N1 flu, promise to make this spam trojan campaign a particularly virulent one.
"As of 9:15 (CST) we are seeing these messages at the extremely high rate of nearly 18 000 messages per minute netting over 1 million of these messages in the first hour alone", said Appriver in a blog post.
"The domains in the email were registered or updated a week before the campaign began. The whois information associated with the domains indicate that most of them were registered with a Belgium registrar at active24.be", said McAfee.
The DNS servers that were authoritative for the domains used in the H1N1 flu trojan attack were purchased from Xin Net Technologies, a Chinese registrar. However, the servers were located across the world, and some had previously been involved with the Cutwail botnet, which McAfee said may indicate that the servers are legitimate ones that have been compromised.