dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
March 2007

   Dynamoo 2007

 

 

 

BlueMountains Greetings - "You just received an Electronic Greeting" virus.

25th March 2007

Fake greetings cards are all the rage.. these are something you should always be careful with and in all honesty are best avoided altogether. This particular one appears to be from bluemountain.com and reads:

    From: BlueMountains Greetings <greetings@BlueMountain.com>
    Subject: You just received an Electronic Greeting.

    Hello, you just received an electronic greeting from a friend !

    To view your eCard, please click on the following link :

    http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999
    (Your postcard will be available for 60 days.)

    If you have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

    Thanks for using BlueMountain.com.

BlueMountain.com is a pretty well-known and wholly legitimate online greetings card company, however.. did a little deeper into this email and you find that the underlying HTML is something quite different:

    <html>
    <head>
    <title>Electronic Greeting</title>

    Hello, you just received an electronic greeting from a friend !<br>
    <br>
    To view your eCard, please click on the following link :<br>
    <br>
    <a href="http://BlueMountains.KoKoCards.com/main.php">http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999</a>
    <br>
    (Your postcard will be available for 60 days.)<br>
    <br>
    <br>
    If you have any comments or questions, please visit
    http://www.bluemountain.com/customer/emailus.pd?source=bma999
    <br>
    <br>
    Thanks for using BlueMountain.com.
    </body>
    </html>

Notice that the link is actually http://BlueMountains.KoKoCards.com/main.php (do not visit this site!). In turn, this site redirects visitors as follows:

    03/25/07 23:04:34 Browsing http://BlueMountains.KoKoCards.com/main.php
    Fetching http://BlueMountains.KoKoCards.com/main.php ...
    GET /main.php HTTP/1.1
    Host: BlueMountains.KoKoCards.com
    Connection: close

    HTTP/1.1 302 Found
    Date: Sun, 25 Mar 2007 22:05:24 GMT
    Server: Apache/2.0.52 (CentOS)
    X-Powered-By: PHP/4.3.11
    Location: http://212.177.15.228/images/postcard.jpg.exe
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8

Again, don't visit this site unless you know how to handle malware.. and clearly a file called postcard.jpg.exe is going to be harbouring something malicious.

kokocards.com appears to be registered to an innocent party, and www.kokocards.com is hosted on 83.67.218.235 which is a Freedom2Surf address in the UK. However, the subdomain bluemountains.kokocards.com is hosted on the same 212.177.15.228 in Italy that is listed in the 302 redirect - this server also appears to belong to an innocent party.

The nameservers for kokocards.com are ns1.afraid.org and ns2.afraid.org. afraid.org is a free DNS service, so it is likely in some way that the kokocards.com account at afraid.org has been compromised.

In these cases, the spam was received from 69.72.195.26 which belongs to FortressITX in the United States. This is probably a compromised or hacked server.

Malware analysis

Postcard.jpg.exe is a large 720kb file with patchy detection according to VirusTotal.

 Bluemountain.com fake spam

The prognosis is that it is some variant of Zapchast which is a generic infector. Follow the instructions of your anti-virus vendor for removal or consult a security professional. It is impossible to say how deeply infected a PC might become if running this trojan - if in doubt, rebuild and restore from backup.

 

 

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy