FYI...

Catch of the Day
- http://www.f-secure.com/weblog/archives/00001316.html
November 12, 2007 - " Today's special is Trojan-Dropper.W32/Agent.CPL. We discovered this phish in -spam- runs promoting a YouTube video. If you click the link in the spam message, it opens a fairly decent copy of YouTube's site... The page, located on a .cn server, prompts for the installation of Adobe's Flash Player. If you download the file, it's named install_flash_player.exe. Just as the real Flash Player download would be. Firefox browser is already warning about the fraudulent nature of this site..."

(Screenshot available at the URL above.)

I got about 5 of these e-mails on Monday, what was interesting was that when I looked at the HTML source code there were links to 3 or 4 different domains rather than just linking to a single URL/domain.

One of the samples I collected is posted on the malware listserv.

/t207677-MD5_29a8b08786a6a5bd253df5b2a42e7979_install_flash_player.html