Websense Security Labs ThreatSeeker Network has discovered spam e-mails offering recipients links to unpublished videos and pictures of singer Michael Jackson.

The spam e-mail appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised website. The file offered is called Michael.Jackson.videos.scr, which is located on a legitimate website hosted in Australia belonging to a radio broadcasting station.

Upon executing the file, a legitimate website at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates. The malware then installs a malicious BHO that is registered with the file %windir%\Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%\system32\kproces.exe. A malicious file installed by the malware is %windir%\system32\fotos.exe.