Sunday, July 08, 2007

'Ecard' spams are now showing 'abnormal activity'

The 'Ecard' spams have now switched over to 'abnormal activity' spams. Here's a summary of the subject lines:
  • Subject: ATTN!
  • Subject: Alert!
  • Subject: Malware Alert
  • Subject: Spyware Alert!
  • Subject: Spyware Detected!
  • Subject: Trojan Alert!
  • Subject: Trojan Detected!
  • Subject: Virus Activity Detected!
  • Subject: Warning!
  • Subject: Worm Activity Detected!
  • Subject: Worm Alert!
  • Subject: Worm Detected!
Here's an example body:
Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install http://XX.71.238.156/?7c634591933434671c16a2e59b1283bd17061a8 to remove worm files and stop email sending, otherwise your account will be blocked.

Customer Support

The exe on the linked site is now called 'patch.exe,' which is identified as 'Trojan horse TR/Small.DBY.DB' by Avira.

Tuesday, July 03, 2007

4th of July ecard malware

The 'ecard' spam wave has been updated with 4th of July-themed subjects:
  • Subject: 4th Of July Celebration
  • Subject: America the Beautiful
  • Subject: America's 231st Birthday
  • Subject: American Pride, On The 4th
  • Subject: Americas B-Day
  • Subject: Celebrate Your Nation
  • Subject: Celebrate Your Independence
  • Subject: Fireworks on The 4th
  • Subject: Fourth of July Party
  • Subject: God Bless America
  • Subject: Happy 4th of July
  • Subject: Happy B-Day USA
  • Subject: Happy Birthday America
  • Subject: Happy Fourth of July
  • Subject: Independence Day At The Park
  • Subject: Independence Day Celebration
  • Subject: Independence Day Party
  • Subject: July 4th B-B-Q Party
  • Subject: July 4th Family Day
  • Subject: July 4th Fireworks Show
  • Subject: Your Nations Birthday
The Internet Storm Center has a writeup.

The malware is the same as the last wave. The index.html file contains an obfuscated hex-encoded payload. The current ecard.exe (the executable is updated frequently, in order to evade virus scanners) currently scans as 'TR/Small.DBY.DB' by Avira.

Here's a sample email body:
Hi. Family member has sent you a greeting ecard.
See your card as often as you wish during the next 15 days.


If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:


Or copy and paste it into your browser's "Location" box (where Internet addresses go).

PRIVACY honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

By accessing your card you agree we have no liability.
If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,