Tuesday, July 03, 2007

4th of July ecard malware

The 'ecard' spam wave has been updated with 4th of July-themed subjects:
  • Subject: 4th Of July Celebration
  • Subject: America the Beautiful
  • Subject: America's 231st Birthday
  • Subject: American Pride, On The 4th
  • Subject: Americas B-Day
  • Subject: Celebrate Your Nation
  • Subject: Celebrate Your Independence
  • Subject: Fireworks on The 4th
  • Subject: Fourth of July Party
  • Subject: God Bless America
  • Subject: Happy 4th of July
  • Subject: Happy B-Day USA
  • Subject: Happy Birthday America
  • Subject: Happy Fourth of July
  • Subject: Independence Day At The Park
  • Subject: Independence Day Celebration
  • Subject: Independence Day Party
  • Subject: July 4th B-B-Q Party
  • Subject: July 4th Family Day
  • Subject: July 4th Fireworks Show
  • Subject: Your Nations Birthday
The Internet Storm Center has a writeup.

The malware is the same as the last wave. The index.html file contains an obfuscated hex-encoded payload. The current ecard.exe (the executable is updated frequently, in order to evade virus scanners) currently scans as 'TR/Small.DBY.DB' by Avira.

Here's a sample email body:
-----------------------------------------------------------------------
Hi. Family member has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http://XX.162.62.131/?32c3a9ebeed435601e5ee7

Or copy and paste it into your browser's "Location" box (where Internet addresses go).

PRIVACY
Postcard.com honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

TERMS OF USE
By accessing your card you agree we have no liability.
If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Postmaster,
Postcard.com

No comments: