E-mail postcard infects computers!

[polonus]

Hi malware fighters,

Electronic postcard make your computer into a zombie.
This e-mail drops in your inbox as "You've received a postcard from a family member!", and has a link to an IP-address that uses JavaScript and various exploits as malware vectors. When you have JavaScript is disabled the user is shown a handy hyperlink so he can infect himself

To minimize distrust the website shows a message, that says it is all about testing a new browser feature, and when you cannot see the post card, you should open the link to the executable. Yesterday the malware was only detected by three AV products. To infect websites automatically the website uses  QuickTime, WinZip & WebViewFolderIcon exploits.

On infection the zombie is used to send new infected post card mails and hosting the malware. ISC came with the following analysis: http://isc.sans.org/diary.php?storyid=3063

polonus

[FreewheelinFrank]

Here's a chance for avast! to grab a sample if they're on the ball: http://forum.avast.com/index.php?topic=29124.msg238646#msg238646

[FreewheelinFrank]

Just found one in my junk mail folder:

Complete scanning result of "ecard.exe", received in VirusTotal at 06.29.2007, 21:58:27 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.6.30.0   06.29.2007   no virus found
AntiVir   7.4.0.37   06.29.2007   TR/Small.DBY.DB
Authentium   4.93.8   06.29.2007   no virus found
Avast   4.7.997.0   06.29.2007   no virus found
AVG   7.5.0.476   06.29.2007   no virus found
BitDefender   7.2   06.29.2007   no virus found
CAT-QuickHeal   9.00   06.29.2007   (Suspicious) - DNAScan
ClamAV   devel-20070416   06.29.2007   no virus found
DrWeb   4.33   06.29.2007   no virus found
eSafe   7.0.15.0   06.28.2007   Suspicious Trojan/Worm
eTrust-Vet   30.8.3751   06.29.2007   Win32/Sintun
Ewido   4.0   06.29.2007   no virus found
FileAdvisor   1   06.29.2007   no virus found
Fortinet   2.91.0.0   06.29.2007   no virus found
F-Prot   4.3.2.48   06.28.2007   no virus found
F-Secure   6.70.13030.0   06.29.2007   Virus.Win32.KME
Ikarus   T3.1.1.8   06.29.2007   no virus found
Kaspersky   4.0.2.24   06.29.2007   Virus.Win32.KME
McAfee   5064   06.29.2007   no virus found
Microsoft   1.2701   06.29.2007   no virus found
NOD32v2   2364   06.29.2007   no virus found
Norman   5.80.02   06.29.2007   Tibs.gen108
Panda   9.0.0.4   06.29.2007   no virus found
Sophos   4.19.0   06.28.2007   Mal/Dorf-A
Sunbelt   2.2.907.0   06.28.2007   no virus found
Symantec   10   06.29.2007   no virus found
TheHacker   6.1.6.140   06.28.2007   no virus found
VBA32   3.12.0.2   06.28.2007   no virus found
VirusBuster   4.3.23:9   06.29.2007   no virus found
Webwasher-Gateway   6.0.1   06.29.2007   Trojan.Small.DBY.DB

[Lisandro]

Just found one in my junk mail folder

Any remote possibility of submitting this file to Alwil and praying, begging, for them to improve detection? :'(

[FreewheelinFrank]

The Storm worm surfaced earlier this year, initially posing as video clips of a European windstorm that killed dozens of people. Computers infected with it were merged into a botnet whose sole purpose appears to be using them to relay junk e-mail. Storm also plants a "rootkit," or set of files designed to hide the malicious software from security programs and prevent its removal.

This month's Mpack attack tool apparently removes a number of rootkits from computers it infects, to make room for its own. Rootkits have a tendency to make infected systems unstable and prone to crashing, and multiple rootkits on a single machine often render the host unusable.

Apparently, the Storm worm folks weren't too happy about this development. They are currently attacking the Web server that Mpack uses to fetch configuration files for spam runs, according to MyNetWatchman, a company that monitors hacking and spamming activity.

http://blog.washingtonpost.com/securityfix/2007/06/spammers_duke_it_out_in_online_1.html

[FreewheelinFrank]

Any remote possibility of submitting this file to Alwil and praying, begging, for them to improve detection?

I'm sending it to a number of AV companies: we'll see who adds it and when! 

[bslorence]

Just found one in my junk mail folder

Any remote possibility of submitting this file to Alwil and praying, begging, for them to improve detection? :'(

Yes, please do. I posted the other thread about this:

http://forum.avast.com/index.php?topic=29124.0

But then stupidly deleted the file -- and from the command-line, so it's not in the Recycle Bin. I also reported the zombie to its ISP's abuse email address, and either the computer is offline now, or the ISP has already handled the situation, because that IP is not accepting web requests any longer, so I can't download the file again. 

Ben

[drhayden1]

sorry damian wrong thread
moderator could you remove this please

[Lisandro]

I'm sending it to a number of AV companies: we'll see who adds it and when! 

I'm monitoring my own thread also...
http://forum.avast.com/index.php?topic=29073.0

[FreewheelinFrank]

VirusTotal was behind in the definitions database for avast:

Hello,

please update you VPS database, detection routine is included in VPS version 752-5, thank you for virus submission.

Best Regards

(This is the first time I've ever got a reply from avast!: bit of a shock!)

Complete scanning result of "ecard.exe", received in VirusTotal at 06.30.2007, 09:08:57 (CET).

Antivirus   Version   Update   Result
AhnLab-V3   2007.6.30.0   06.29.2007   no virus found
AntiVir   7.4.0.37   06.29.2007   TR/Small.DBY.DB
Authentium   4.93.8   06.29.2007   no virus found
Avast   4.7.997.0   06.29.2007   Win32:Tibs-AYT
AVG   7.5.0.476   06.29.2007   no virus found
BitDefender   7.2   06.30.2007   Trojan.Peed.OL
CAT-QuickHeal   9.00   06.29.2007   (Suspicious) - DNAScan
ClamAV   devel-20070416   06.30.2007   Trojan.Small-2871
DrWeb   4.33   06.30.2007   no virus found
eSafe   7.0.15.0   06.30.2007   Suspicious Trojan/Worm
eTrust-Vet   30.8.3752   06.29.2007   Win32/Sintun
Ewido   4.0   06.29.2007   no virus found
FileAdvisor   1   06.30.2007   no virus found
Fortinet   2.91.0.0   06.30.2007   no virus found
F-Prot   4.3.2.48   06.29.2007   no virus found
F-Secure   6.70.13030.0   06.29.2007   Virus.Win32.KME
Ikarus   T3.1.1.8   06.30.2007   Virus.Win32.KME
Kaspersky   4.0.2.24   06.30.2007   Virus.Win32.KME
McAfee   5064   06.29.2007   no virus found
Microsoft   1.2701   06.30.2007   no virus found
NOD32v2   2365   06.30.2007   no virus found
Norman   5.80.02   06.29.2007   Tibs.gen108
Panda   9.0.0.4   06.29.2007   no virus found
Sophos   4.19.0   06.24.2007   no virus found
Sunbelt   2.2.907.0   06.29.2007   no virus found
Symantec   10   06.30.2007   no virus found
TheHacker   6.1.6.140   06.28.2007   no virus found
VBA32   3.12.0.2   06.29.2007   no virus found
VirusBuster   4.3.23:9   06.29.2007   no virus found
Webwasher-Gateway   6.0.1   06.29.2007   Trojan.Small.DBY.DB

[FreewheelinFrank]

DrWeb have added the file:

Your request has been analyzed. New virus record has been added.
Virus: Trojan.Packed.142.

Thank you for the cooperation.

-- Yours sincerely, Virus Monitoring Service Doctor Web Ltd.

Response time: about 12 hours.

ClamAV also detects it now: not sure if that was me- I suspect it was already in the pipeline as Clam usually takes a few days to add submitted malware.

[Lisandro]

(This is the first time I've ever got a reply from avast!: bit of a shock!)

You're luckier than me...
http://forum.avast.com/index.php?topic=29073.msg238806#msg238806

[FatalXception]

Greetings,

Like a fool, I opened the card thinking it was from a gentleman friend!  I never did get anything to open.  I was directed to another link 'if this fails to open' type thing which only gave a page for a business to use.  Nowhere was there a place to insert the numbers it gave for the card. 

I use Stop Sign for my antivirus and I have it to scan my computer several times during the day. So the next time I signed on it ran and detected it, then deleted it.

Now, each time my adult children or my male friend email each other, we use "From momma- xxxx"
The xxxx then becomes the content of the email.  This way, we do not get 'tricked' into opening up Pandora's' Box!

FatalXception   

[Lisandro]

This way, we do not get 'tricked' into opening up Pandora's' Box!

Opening an email and specially an attached file from a source that you don't trust and without scanning it with antivirus/antitrojans is live dangerously for sure...

[bslorence]

Opening an email and specially an attached file from a source that you don't trust and without scanning it with antivirus/antitrojans is live dangerously for sure...

Yes, but unfortunately a lot of people don't realize that. Two of my 25+ users have admitted to falling for this one, and I wonder how many haven't admitted it.

I have a catch-all set up on my network's mail server, so I get all of the bounces when spambots send email from fake addresses @<mydomain> to other fake addresses at other domains. I have over 650 new messages in the catch-all mailbox since the weekend -- normally I get a few dozen at the most. So I guess a lot of people are living dangerously...