E-mail postcard infects computers!

Hi malware fighters,

Electronic postcard make your computer into a zombie.
This e-mail drops in your inbox as “You’ve received a postcard from a family member!”, and has a link to an IP-address that uses JavaScript and various exploits as malware vectors. When you have JavaScript is disabled the user is shown a handy hyperlink so he can infect himself

To minimize distrust the website shows a message, that says it is all about testing a new browser feature, and when you cannot see the post card, you should open the link to the executable. Yesterday the malware was only detected by three AV products. To infect websites automatically the website uses QuickTime, WinZip & WebViewFolderIcon exploits.

On infection the zombie is used to send new infected post card mails and hosting the malware. ISC came with the following analysis: http://isc.sans.org/diary.php?storyid=3063

polonus

Here’s a chance for avast! to grab a sample if they’re on the ball: http://forum.avast.com/index.php?topic=29124.msg238646#msg238646

Just found one in my junk mail folder:

Complete scanning result of “ecard.exe”, received in VirusTotal at 06.29.2007, 21:58:27 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 06.29.2007 TR/Small.DBY.DB
Authentium 4.93.8 06.29.2007 no virus found
Avast 4.7.997.0 06.29.2007 no virus found
AVG 7.5.0.476 06.29.2007 no virus found
BitDefender 7.2 06.29.2007 no virus found
CAT-QuickHeal 9.00 06.29.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.29.2007 no virus found
DrWeb 4.33 06.29.2007 no virus found
eSafe 7.0.15.0 06.28.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3751 06.29.2007 Win32/Sintun
Ewido 4.0 06.29.2007 no virus found
FileAdvisor 1 06.29.2007 no virus found
Fortinet 2.91.0.0 06.29.2007 no virus found
F-Prot 4.3.2.48 06.28.2007 no virus found
F-Secure 6.70.13030.0 06.29.2007 Virus.Win32.KME
Ikarus T3.1.1.8 06.29.2007 no virus found
Kaspersky 4.0.2.24 06.29.2007 Virus.Win32.KME
McAfee 5064 06.29.2007 no virus found
Microsoft 1.2701 06.29.2007 no virus found
NOD32v2 2364 06.29.2007 no virus found
Norman 5.80.02 06.29.2007 Tibs.gen108
Panda 9.0.0.4 06.29.2007 no virus found
Sophos 4.19.0 06.28.2007 Mal/Dorf-A
Sunbelt 2.2.907.0 06.28.2007 no virus found
Symantec 10 06.29.2007 no virus found
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 06.28.2007 no virus found
VirusBuster 4.3.23:9 06.29.2007 no virus found
Webwasher-Gateway 6.0.1 06.29.2007 Trojan.Small.DBY.DB

Any remote possibility of submitting this file to Alwil and praying, begging, for them to improve detection? :cry:

The Storm worm surfaced earlier this year, initially posing as video clips of a European windstorm that killed dozens of people. Computers infected with it were merged into a botnet whose sole purpose appears to be using them to relay junk e-mail. Storm also plants a "rootkit," or set of files designed to hide the malicious software from security programs and prevent its removal.

This month’s Mpack attack tool apparently removes a number of rootkits from computers it infects, to make room for its own. Rootkits have a tendency to make infected systems unstable and prone to crashing, and multiple rootkits on a single machine often render the host unusable.

Apparently, the Storm worm folks weren’t too happy about this development. They are currently attacking the Web server that Mpack uses to fetch configuration files for spam runs, according to MyNetWatchman, a company that monitors hacking and spamming activity.

http://blog.washingtonpost.com/securityfix/2007/06/spammers_duke_it_out_in_online_1.html

Any remote possibility of submitting this file to Alwil and praying, begging, for them to improve detection?

I’m sending it to a number of AV companies: we’ll see who adds it and when! :wink:

Yes, please do. I posted the other thread about this:

http://forum.avast.com/index.php?topic=29124.0

But then stupidly deleted the file – and from the command-line, so it’s not in the Recycle Bin. I also reported the zombie to its ISP’s abuse email address, and either the computer is offline now, or the ISP has already handled the situation, because that IP is not accepting web requests any longer, so I can’t download the file again. :-\

Ben

sorry damian wrong thread ???
moderator could you remove this please ;D

I’m monitoring my own thread also…
http://forum.avast.com/index.php?topic=29073.0

VirusTotal was behind in the definitions database for avast:

Hello,

please update you VPS database, detection routine is included in VPS version 752-5, thank you for virus submission.

Best Regards

(This is the first time I’ve ever got a reply from avast!: bit of a shock!)

Complete scanning result of “ecard.exe”, received in VirusTotal at 06.30.2007, 09:08:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 06.29.2007 TR/Small.DBY.DB
Authentium 4.93.8 06.29.2007 no virus found
Avast 4.7.997.0 06.29.2007 Win32:Tibs-AYT
AVG 7.5.0.476 06.29.2007 no virus found
BitDefender 7.2 06.30.2007 Trojan.Peed.OL
CAT-QuickHeal 9.00 06.29.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 06.30.2007 Trojan.Small-2871
DrWeb 4.33 06.30.2007 no virus found
eSafe 7.0.15.0 06.30.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3752 06.29.2007 Win32/Sintun
Ewido 4.0 06.29.2007 no virus found
FileAdvisor 1 06.30.2007 no virus found
Fortinet 2.91.0.0 06.30.2007 no virus found
F-Prot 4.3.2.48 06.29.2007 no virus found
F-Secure 6.70.13030.0 06.29.2007 Virus.Win32.KME
Ikarus T3.1.1.8 06.30.2007 Virus.Win32.KME
Kaspersky 4.0.2.24 06.30.2007 Virus.Win32.KME
McAfee 5064 06.29.2007 no virus found
Microsoft 1.2701 06.30.2007 no virus found
NOD32v2 2365 06.30.2007 no virus found
Norman 5.80.02 06.29.2007 Tibs.gen108
Panda 9.0.0.4 06.29.2007 no virus found
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.29.2007 no virus found
Symantec 10 06.30.2007 no virus found
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 06.29.2007 no virus found
VirusBuster 4.3.23:9 06.29.2007 no virus found
Webwasher-Gateway 6.0.1 06.29.2007 Trojan.Small.DBY.DB

DrWeb have added the file:

Your request has been analyzed. New virus record has been added. Virus: Trojan.Packed.142.

Thank you for the cooperation.

– Yours sincerely, Virus Monitoring Service Doctor Web Ltd.

Response time: about 12 hours.

ClamAV also detects it now: not sure if that was me- I suspect it was already in the pipeline as Clam usually takes a few days to add submitted malware.

You’re luckier than me…
http://forum.avast.com/index.php?topic=29073.msg238806#msg238806

Greetings,

Like a fool, I opened the card thinking it was from a gentleman friend! I never did get anything to open. I was directed to another link ‘if this fails to open’ type thing which only gave a page for a business to use. Nowhere was there a place to insert the numbers it gave for the card.

I use Stop Sign for my antivirus and I have it to scan my computer several times during the day. So the next time I signed on it ran and detected it, then deleted it.

Now, each time my adult children or my male friend email each other, we use “From momma- xxxx”
The xxxx then becomes the content of the email. This way, we do not get ‘tricked’ into opening up Pandora’s’ Box!

FatalXception 8)

Opening an email and specially an attached file from a source that you don’t trust and without scanning it with antivirus/antitrojans is live dangerously for sure…

Yes, but unfortunately a lot of people don’t realize that. Two of my 25+ users have admitted to falling for this one, and I wonder how many haven’t admitted it.

I have a catch-all set up on my network’s mail server, so I get all of the bounces when spambots send email from fake addresses @ to other fake addresses at other domains. I have over 650 new messages in the catch-all mailbox since the weekend – normally I get a few dozen at the most. So I guess a lot of people are living dangerously… :-\

Which brings up another question… will Avast detect the malware that this “postcard” installs?

We are living dangerously if avast does not improve detection :cry:

Indeed… I just got another postcard email, and so I downloaded the file ecard.exe again (using Lynx) and scanned it with Avast, and it didn’t detect anything. I’ll send it off to virus@avast.com, but it sounds like there may not be much use in that? I am a paying customer using ADNM to protect a corporate network, so perhaps if I open a support ticket I will get some attention…

But there is no need to post three times the same… just makes the effort of helping, for us, avast users, even more difficult :-\

I’ve e-mailed this one twice to AVG and they have failed to respond.

AVG is blowing hot and cold at the moment: sometimes they add submitted malware in a few hours, sometimes like avast! they never add it. ???

I came across AntiVir’s submission system yesterday, which is excellent:

http://analysis.avira.com/samples/index.php

You get an instant automatic reply with the address of a web page where you can track your submission. A couple of samples added yesterday were added within a couple of hours.