Press Releases

Browse our press release archive

12 Jul 2006

Vladimir Putin death spam helps spread Trojan horse

Hackers try to infect users while attempting a "joe job" to discredit Russian heating firm

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a spam campaign that poses as a breaking news report about the death of Russian President Vladimir Putin, but is really an attempt by hackers to infect computer users with a Trojan horse.

The email claims that the Russian president has died

The email claims that Vladimir Putin, president of the Russian Federation, has died.

However, embedded in the HTML email is a hidden script that exploits the ADODB.Stream vulnerability to secretly download the malicious Troj/Dloadr-ZP Trojan horse from a Russian website. The Trojan horse is designed to download further malicious code which could allow remote hackers to gain unauthorized access to the victim's computer.

Although the link pretends to be that of a BBC News report, the user is really directed to another Russian website purporting to be the home of a construction firm focused on providing heating systems for apartments and advertising training seminars.

"It appears whoever sent this spam is trying to discredit the Russian firm in what we call a 'joe job'. Users may think that the spam was purely an attempt to drive traffic to the construction company's products and seminars, whereas in fact hackers are also using the opportunity to try and infect unprotected PCs," explained Graham Cluley, senior technology consultant for Sophos. "Everyone should protect their computers with security patches, up-to-date anti-virus software, firewalls and a solid defense against spam. Hackers have used bogus stories about breaking news stories in the past to encourage people to open emails, and they're likely to do so again."

Sophos's anti-malware products were automatically updated to protect against the Troj/Dloadr-ZP Trojan horse at 05:22 GMT on 12 July 2006.

"Normally, a joe job is a spam campaign forged to appear as though it came from an innocent party, with the intention of incriminating or pinning blame onto them," continued Cluley. "In this case, users wanting to read the news report may think that the emails came from the Russian website they are directed to selling seminars and heating systems. In truth, the spam emails came from a zombie network of compromised computers around the world, being exploited by the hackers. If users aren't careful they could find their PCs part of the zombie network as well."

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against viruses and spam.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at