The email also poses as a WORM_ZOTOB worm removal tool which actually drops a backdoor program on the unsuspecting victim's system. Network antivirus and internet content security provider, Trend Micro, says the link provided in the email points to what seems to be a regular website with news about the Hurricane Katrina disaster, with a link for a report on the ZOTOB worm on the right-hand side.
However, as soon as the victim views this website, the JS_PHEL.K malware exploits the HTML Help ActiveX Control vulnerability (Microsoft Security Bulletin MS05-001) to secretly redirect the browser to another website to download the BKDR_ROBOBOT.AU backdoor program. In addition, the right side of the page contains information about the ZOTOB worm, including a link to a website with ZOTOB removal tools, which in actuality also contains the backdoor program BKDR_ROBOBOT.AU. Once activated, this malicious program will display a fake ZOTOB scan message, 'Zotob was not detected on this PC,' causing victims to erroneously believe this was a free antivirus scan.
The backdoor program removes certain antivirus and security applications from the infected computer, and randomly opens communication ports to connect with an Internet Relay Chat (IRC) server. This allows hackers to remotely access the computer, and connect it to websites to download more malwares.
Trend Micro pointed out that in the past malwares have also posed as emails delivering disaster news from CNN, making it hard for users to determine which emails are real and which are not. In addition, malwares often pose as virus removal programs after larger virus outbreaks. This was particularly prevalent after the ZOTOB outbreak.