Fake Porntube site -> r.html -> video.exe

I recently received an email:

Delivered-To: (REDACTED)
Received: by 10.114.197.7 with SMTP id u7cs66501waf;
Thu, 19 Jun 2008 07:06:35 -0700 (PDT)
Received: by 10.210.46.12 with SMTP id t12mr1910940ebt.23.1213884394448;
Thu, 19 Jun 2008 07:06:34 -0700 (PDT)
Return-Path:
Received: from ?88.251.149.76? ([88.251.202.216])
Thu, 19 Jun 2008 07:06:34 -0700 (PDT)
client-ip=88.251.202.216;
(pluviosc1998@trinitycollege.edu does not designate 88.251.202.216 as permitted sender) smtp.mail=pluviosc1998@trinitycollege.edu
From: "=?ISO-8859-1?Q?Croughn?="
To: (REDACTED)
Subject: =?ISO-8859-1?Q?Lastest! Obama quits presidential race?=
Date: Thu, 19 Jun 2008 17:06:34 +0300
Mime-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: 8BIT
Message-Id:
X-Antivirus: avast! (VPS 080618-0, 18.06.2008), Outbound message
X-Antivirus-Status: Clean

Ring it up for Celtics after fantastic win
http://(PARTS REDACTED)homes.com/r.html

Or for those who aren't interested in the headers:

On Thu, Jun 19, 2008 at 8:06 AM, Croughn said:
Ring it up for Celtics after fantastic win
http://(PARTS REDACTED)homes.com/r.html

(I've removed the domain name for your protection.)

I suspected malware, so I clicked the url in a sandbox. I was more than surprised by the images I saw. A very young looking nude girl was standing next to an older guy. I've blacked out portions of the site - however you can see how a link like this could get even the most innocent people in serious trouble.

Update: The screen shot has been removed from the main page.
If you would like to view the semi censored (not work safe) screen shot, you may: [CLICK HERE]

The image is actually a link to "video.exe", which is identified by most antivirus as Peed/Peacomm.

This file creates and executes C:\WINDOWS\System32\CbEvtSvc.exe. I suggest that everyone update your IDS to watch for r.html and video.exe.

The domain name is not really important. Those who need to know about it already do.

Update: I have several more emails in my mail drops. I've personally received a dozen or more unique sites. I thumbed through my mailing lists, and the experts are already on to these guys. This may be new to many of us this week - but the real experts have already been watching the transformation.

Others blogged about this before me - you can view their analysis by following the URLs below:

http://blog.mxlab.be/2008/06/19/new-malware-outbreak/
http://www.pcmag.com/article2/0,2817,2320835,00.asp