The Waledec botnet is using spam that claims that “Obama Quits”, explaining that “Barack Obama abandoned sinking ship” and that Obama doesn’t want any more to be president, in order to lure unsuspecting users to add their PCs to its group of zombied computers that it uses to do its dirty work. Other subject lines include “Who Will Be Our President Now?”, “End time for the USA”, and “Haven’t you heard latest news about our president-elect?”
The spam explains that “Barack Obama’s inauguration that was planned on 20th January 2009 is under the threat of failure,” and goes on to say that “On the Eve of Inauguration Day President-elect Barack Obama made statement. He declared that he is definitely NOT ready for this position. Analysts say that Barack Obama has refused to be next president because he recognized inconsistency of his plan of stimulating USA economy.” (Note the broken and poor English.)
The “Obama Quits” spam takes the user to a plausible-looking website which talks all about how Obama has decided to reject the highest office in the United States, and links to a file that is supposedly his speech on the subject. The file bears names such as ‘barakspeech.exe’, ‘obamaspeech.exe’, ‘statement.exe’, ‘obamanews.exe’, ‘president.exe’, ‘barack.exe’, and ‘usa.exe’.
A pretty safe rule is never download something with an .exe at the end, although that rule alone won’t keep your computer from being taken over.
According to Phil Hay, of security firm Marshal8e6 TRACE Labs, “The web site that these spam messages link to looks official and convincing at first glance. Closer examination reveals numerous spelling and grammatical errors on the site which could alert wary email users that this is a trick. Unfortunately we expect that many users who are lured to these sites will invariably click on the link and infect themselves.”
Some of the domains that are implicated in the “Obama Quits” Waledec botnet sweep include superobamaonline.com, greatobamaguide.com, and superobamadirect.com.