Malicious Gaddafi Death Spam Continues

Contributor: Anand Muralidharan

Recently, the death of Libyan leader Muammar Gaddafi triggered a malware attack which Symantec previously blogged about. We have observed spammers' continued delight with this news event through the sending of malicious attack and 419 spam messages.

In the spam targeting residents of Brazil, a video showing Gaddafi asking for mercy and containing disturbing images also carries malware. By clicking the link provided in the email, users actually download a malicious executable file. Symantec has identifed this threat as Trojan.Ransomlock!gen4.


The email's download links use the following URL patterns:

  • hxxp://
  • hxxp://
  • hxxp://

The following email subject line was observed in the spam attack:

Subject: Novo video nao divulgado por ter imagens fortes mostra Kadhafi pedindo misericordia de joelhos e seus guardas sendo executados

This subject line is translated into English as:

Subject: New video, not released due to disturbing images, shows Gadhafi executed on his knees while asking for mercy from guards

Another spam email taking advantage of the Gaddafi death event is a type of 419 spam. This classical 419 message requests the victim to transfer huge sums of money toward a fund.

The following 419 spam emails are shown as samples:

Here are some subject lines observed in the Gaddafi 419 spam attacks:

  • Subject: Late Muammar Gaddafi's estate
  • Subject: Urgent Assistance Needed From Abu Ismail Aide-de-camp To Late Moammer Gaddhafi
  • Subject: Libyan leader Moammar Gadhafi’s death maybe not true

Internet users are advised to continue to use caution when looking for pictures, video, and news of recent popular news events and take care to not open any suspicious links or attachments received in unsolicited email. Frequently update your security software, which protects you from online viruses and scams.