I am not a sentimental person.
When I receive a greeting card, I offer a big smile and give many thanks…and then immediately wonder if there’s any cash inside.
Best card I ever got was on my wedding day. All it said inside was:
“I hope the color and size is right.” and out fell a $50 bill.
I really didn’t even like the guy who gave it to us, but it meant a lot more than the 400 other wordy cards. Yes, call me shallow.
But there’s seems to be no shortage of sentimentalism flying around the Web in the form of electronic greetings cards. Over the past 6 years however, e-cards have been a channel used to carry various viruses and worms. Here’s a new one to add to the list:
Once the .zip is opened, the virus will install a micro SMTP client and then harvest all the e-mails stored on that local machine. It will then send the same e-mail to all the new e-mail addresses, thus spreading the cheer…
WHAT TO LOOK FOR:
When the Trojan is downloaded, it will created the following files on the PC:
(Windows TEMP folder)qoMcdExV.bat
(Windows System folder)cbXQiFwT.dll
(Windows System folder)javale.exe
(Windows System folder)javame1.1.exe
(Windows System folder)javase1.1.exe
Keep an eye on your task manager and look for the above running processes.
Not only are those processes installed; there will also be a registry edit that will open TCP ports 1033, 1035, 1062 through 1065 and 1118 through 1120. These ports will then be used by the javale.exe process. This process will use these ports to connect to a host database to request the following Host Names:
mail.[user’s domain] [user’s email address] mx.[user’s domain] smtp.domain.com
smtp.[user’s domain] mx1.[user’s domain] mxs.[user’s domain] mail1.[user’s domain] relay.[user’s domain] 126.96.36.199
The process also tries to create connections to the following remote hosts:
188.8.131.52 – port 43
americangreetings.com – port 1049
There will also be a connection to the following domain to download .css, .js and .gif files for the body content of the e-card.
ak.imgag.com – port 80
Already, I’ve heard of reports from Jim, our pre-sales tech that customers are looking for ways to detect this virus on their networks.
Fortunately, Scrutinizer has a custom report engine to help find viruses like this.
Moral of this story: e-cards don’t have money, so don’t open them.