I am not a sentimental person.

When I receive a greeting card, I offer a big smile and give many thanks…and then immediately wonder if there’s any cash inside.

Best card I ever got was on my wedding day. All it said inside was:
“I hope the color and size is right.” and out fell a $50 bill.

I really didn’t even like the guy who gave it to us, but it meant a lot more than the 400 other wordy cards. Yes, call me shallow.

But there’s seems to be no shortage of sentimentalism flying around the Web in the form of electronic greetings cards. Over the past 6 years however, e-cards have been a channel used to carry various viruses and worms. Here’s a new one to add to the list:

Trojan.Win32.Buzus

This virus is propagated by a person opening a .zip file called either “e-card.zip” or “postcard.zip” that is attached to an e-card sent from [email protected] or [email protected]

Once the .zip is opened, the virus will install a micro SMTP client and then harvest all the e-mails stored on that local machine. It will then send the same e-mail to all the new e-mail addresses, thus spreading the cheer…

WHAT TO LOOK FOR:

When the Trojan is downloaded, it will created the following files on the PC:

(Windows TEMP folder)qoMcdExV.bat
(Windows System folder)cbXQiFwT.dll
(Windows System folder)javale.exe
(Windows System folder)javame1.1.exe
(Windows System folder)javase1.1.exe

Keep an eye on your task manager and look for the above running processes.

Not only are those processes installed; there will also be a registry edit that will open TCP ports 1033, 1035, 1062 through 1065 and 1118 through 1120. These ports will then be used by the javale.exe process. This process will use these ports to connect to a host database to request the following Host Names:

www.whatismyip.com
mail.[user’s domain]
[user’s email address]
mx.[user’s domain]
smtp.domain.com
smtp.[user’s domain]
mx1.[user’s domain]
mxs.[user’s domain]
mail1.[user’s domain]
relay.[user’s domain]
206.137.17.89
americangreetings.com

The process also tries to create connections to the following remote hosts:

206.137.17.89 – port 43
americangreetings.com – port 1049

There will also be a connection to the following domain to download .css, .js and .gif files for the body content of the e-card.

ak.imgag.com – port 80

Already, I’ve heard of reports from Jim, our pre-sales tech that customers are looking for ways to detect this virus on their networks.

Fortunately, Scrutinizer has a custom report engine to help find viruses like this.

Scrutinizer custom report rules for watching port 43
Scrutinizer custom report rules for watching port 43

Moral of this story: e-cards don’t have money, so don’t open them.

 

Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

Leave a Reply