It seems like the Armenian Branch of Nathan Associates Inc (per a whois lookup of the IP address) is hosting a webpage claiming that former UK Prime Minister Tony Blair has died. As far a we know, Tony Blair is well as of February 17, 2009. This page uses the same template as the BBC News website. As soon as the page is loaded, the user is prompted to upgrade to the latest "Adobe Flash Version in order to watch the video" of the car crash that allegedly took the life of Tony Blair.

Pop up to get user to download latest flash version


Pic.1: Upgrade your Flash Version

Consenting to the flash update downloads: http://91.103.XXX.XXX/BBC_News_UK/2/hi/uk_news/bbc_movies/get_flash_update.exe

Trojan download screen


Pic.1: Trojan download

ClamAV detects this file as Trojan.Agent-21076. The Trojan changes the start page of Internet Explorer to the adult website adultmeeter.com and updates the Windows host file to contain entries for URL-to-IP mapping. This mapping effectively prevents users from accessing the websites for the banks Addey and Caja Madrid by typing abbey.com or cajamadrid.es in their web browers. The entries in the host file will redirect users to phishing websites.