Update on the previously reported spam wave spreading malware.
Our analysis of the web page in the spam shows that it uses a number of exploits to infect a system: Cursor ANI, Create Control Range, MDAC (and this), and SetSlice.
So, fully patched systems should be fine. However, the page that one gets directed to does offer the user the ability to download the malware, so social engineering is still at play here.
Also, sources at the CastleCops SIRT (Spam Incidence Reporting and Takedown) team indicate the following URLs are infection vectors:
zlnewly(dot)hk
hxicing(dot)hk
zzease(dot)com
arpower(dot)hk
koride(dot)hk
nfhare(dot)hk
ngvein(dot)hk
fnfame(dot)hk
smsale(dot)hk
mgsilky(dot)hk
ksjab(dot)hk
onleak(dot)hk
jcstark(dot)hk
vswagon(dot)hk
orinput(dot)hk
trrum(dot)com
kjmate(dot)hk DEAD
huwatt(dot)com DEAD
xvglue(dot)com
fcslur(dot)com DEAD
rjsear(dot)hk
Update: More added in the comments section.
[Many of these are live exploit sites. Do not visit unless in a virtual machine, etc.]
More information here and here.
Alex Eckelberry