This campaign was reported by Cameron S., software engineer, on 12/15/09 at 3:04 pm.
This campaign is highly randomized and is being distributed via bots.
It contains hooks like:
Is this really your photo?!
and
Is this photo yours?!
and
Please tell me is this photo yours?!!
The links are spoofing sendspace, a common file-sharing host.
The actual scammer sites are using Belgium domains (.be).
Depending on the browser, clicking on the link in the email will automatically download “pdf.pdf” which contains a pdf exploit. This probably isn’t so surprising given the recent discovery of several critical security flaws in Adobe products recently:
http://redmondmag.com/articles/2009/12/15/adobe-investigating-zero-day-pdf-vulnerability.aspx
Here’s the virustotal detection for the .pdf payload
http://www.virustotal.com/analisis/54e08f251ff2f98f8c3024258989eb7e1fa16ab8f7b8b269194cb8c30bc7361d-1260900988
Also, the scammer page has another link/download button that downloads “photo.exe” which is another Zbot (banking Trojan) variant.
Here’s the virustotal permalink (5/41 (12.20%)) for the .exe:
http://www.virustotal.com/analisis/03e43923658bfc991003d378e9d410705fbf46d344360e8257993ee8e53313ec-1260900508
Distribution is estimated at moderate to high (142k+ minimum blocked since about 8 am today local time) at about 10-15 thousand messages blocked per hour.
The actual distribution may be significantly higher as this campaign is hitting several general rules and it is not possible to know what percentage of those hits are due to a particular campaign.
