Since Independence Day just passed, this probably looked appealing for the Waledac guys to drops us another campaign. The Waledac malware family is known for using special and recent events to try to increase their chances of infecting computers. We’ve blogged about past Waledac spam runs in the past such as during Valentines and the US presidential elections last year. We’ve also seen Waledac take advantage of this event to send out another campaign.
 
The “Independence” spammed e-mail  looks like this:

4th of July e-mail

Please be advised that the actual subject/body of the e-mail may vary as well as the links that you are redirected to. But the idea is the same, to get you to watch the “Independence fireworks”.

Other websites may include, but not limited to, one of the following:

movie4thjuly.com
video4thjuly.com
moviefireworks.com
4thfirework.com
fireholiday.com
etc.

Waledac usually uses quite a large list of new domains for each campaign so the list is actually larger.
Once you pay a visit to the “Independence” website, you’ll be directed to a fake youtube-lookalike webpage. Presumably here you are supposed to watch a video with amazing fireworks and some other “goodies”
 
Fake video site

Actually, what happens here is that you’ll be asked to run some executable instead, as you can see in the next picture, which is in this case  “setup.exe”. This is similar to the old trick with the fake codec, just a tad different.

Please bear in mind that the actual filename might change to something enticing like "movie.exe", "fireworks.exe", etc

code dump

If you run this on a machine protected by Microsoft products (Microsoft Forefront, Windows Live Onecare, Microsoft Security Essentials), you’ll get a pop-up saying that Trojan:Win32/Waledac.gen!A was detected and stopped.

In the words of Capt. Steven Hiller (Will Smith) from Independence Day (the movie)  “Didn't I promise you fireworks? ”.
 
We also advise you to stay away from any "fireworks" e-mails you may receive.

-- Andrei Saygo && Patrik Vicol