Child porn spam hides Trojan

Messages claim that the recipient's email address has been found in a child porn database

Cyber-criminals have launched a "massive spoof email attack" that accuses victims of being associated with a child porn site in a bid to trick them into downloading malware.

The messages, which use the subject line 'CP investigation was started', claim that the recipient's email address has been found in a child porn database discovered by the Association of Sites Advocating Child Protection (ASACP).

The email actually contains the Agent-CPK Trojan horse.

The ASACP has published a warning on its website, informing recipients of the message that they may be at risk of infection.

Part of the malicious email reads as follows:

'I'd like to inform you that investigating activity of the one of child porno sites; we found e-mails data base, in which was your e-mail . In view of this, I have two versions: either you are the client of this shop, or your e-mail appeared there accidentally. I sincerely hope that it was accidental coincidence and believe that you are interested in this version as well. If you show a good will, make modest, voluntary donation on our site [URL removed] I will be convinced in your being not implicated in this business.'

Attached to the email is a file called asset576.zip which unzips to a file called asset.txt.exe. Running this executable file installs the Trojan onto the user's computer.

"The danger is that people may panic when they think their email address was found on a child abuse website, rush to open the attached file and become infected by a malicious Trojan," said Graham Cluley, senior technology consultant at Sophos.

"The ASACP is an entirely innocent party in this attack. It is simply the organisation's name that is being spoofed by the hackers in their attempt to infect innocent computer users."