MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2007
Bookmark and Share

MA-115.072007: MyCERT Special Alert - Malicious Ecard Trojan Email

Original Issue Date: 3rd July 2007

Introduction

MyCERT received reports of the circulation of malicious emails since over the weekend. The emails lure users to click on URLs supposedly to view their ecards but will actually be redirected to malware sites and malware will be installed on vulnerable systems . The malware has capabilities of stealing personal information from infected machines.

As of now, this executable Trojan is not well detected by Anti-virus softwares. This Trojan uses a kit similar to "MPACK" malware hosting kit used in recent attacks in Europe.

Affected Products

The malware exploits vulnerabilities found in the below browsers:

  1. IE
  2. Mozilla Firefox
  3. Opera
  4. Winzip Active X control
  5. Quicktime Active X control

Payload

Once the malware/trojan is downloaded into a victim's machine, themalware/trojan is capable of stealing confidential information from the infected computer.

Sample Email

The Trojan email has a subject line of one of the following variations:

---------Sample 1----------
Date: Mon, 2 Jul 2007 01:01:13 +0300
From: 2000Greetings.Com
To: xx
Subject: You've received a greeting ecard from a neighbour!

Good day.

Your neighbour has sent you a greeting ecard from 2000Greetings.Com.

Send free ecards from 2000Greetings.Com with your choice of colors, words
and music.

Your ecard will be available with us for the next 30 days. If you wish tokeep
the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://xx.xx.xx.xx/?ab65e8517a32e6b9ea6878b15

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://xx.xx.xx.xx/

Your ecard number is
ab65e8517a32e6b9ea6878b15

Best wishes,
Mail Delivery System,
2000Greetings.Com

------------------------------------

-----------Sample 2--------------
Date: Sat, 30 Jun 2007 21:55:15 -0500
From: 1LoveCards.Com
To: xx
Subject: You've received a postcard from a friend!


Good day.


Your friend has sent you a postcard from 1LoveCards.Com.

Send free ecards from 1LoveCards.Com with your choice of colors, words and
music.

Your ecard will be available with us for the next 30 days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://xx.xx.xx.xx/?0a47ec5b6e92ded5e559ae0855a16e2a1

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://xx.xx.xx.xx/

Your ecard number is
0a47ec5b6e92ded5e559ae0855a16e2a1

Best wishes,
Webmaster,
1LoveCards.Com

---------------------------------------

Mitigation Steps

As for preventive steps, we advise the followings:

  1. Do not click on any links attached in unknown emails, as the links may redirect to malware sites.

  2. Make sure your PCs and browsers are properly patched with latest patches.

  3. Make sure your PC is installed with latest anti-virus softwares and always updated with latest signature files.

  4. Report to CERTs/ISPs on any suspicious emails that you receive.

 

MyCERT's Contact:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442 (monitored during business hours)
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

Postal : Malaysian Computer Emergency Response Team (MyCERT)
NISER (National ICT Security and Emergency Response Centre)
Level 7, SAPURA@MINES
7, Jalan Tasik, The Mines Resort City
43300 Seri Kembangan
Selangor Darul Ehsan, MALAYSIA