BlueMountains Greetings - "You just received an Electronic Greeting" virus.

25th March 2007

Fake greetings cards are all the rage.. these are something you should always be careful with and in all honesty are best avoided altogether. This particular one appears to be from bluemountain.com and reads:

From: BlueMountains Greetings <greetings@BlueMountain.com>
Subject: You just received an Electronic Greeting.

Hello, you just received an electronic greeting from a friend !

To view your eCard, please click on the following link :

http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999
(Your postcard will be available for 60 days.)

If you have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999

Thanks for using BlueMountain.com.

BlueMountain.com is a pretty well-known and wholly legitimate online greetings card company, however.. did a little deeper into this email and you find that the underlying HTML is something quite different:

<html>
<head>
<title>Electronic Greeting</title>


Hello, you just received an electronic greeting from a friend !<br>
<br>
To view your eCard, please click on the following link :<br>
<br>
<a href="http://BlueMountains.KoKoCards.com/main.php">http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999</a>
<br>
(Your postcard will be available for 60 days.)<br>
<br>
<br>
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/emailus.pd?source=bma999
<br>
<br>
Thanks for using BlueMountain.com.
</body>
</html>

Notice that the link is actually http://BlueMountains.KoKoCards.com/main.php (do not visit this site!). In turn, this site redirects visitors as follows:

03/25/07 23:04:34 Browsing http://BlueMountains.KoKoCards.com/main.php
Fetching http://BlueMountains.KoKoCards.com/main.php ...
GET /main.php HTTP/1.1
Host: BlueMountains.KoKoCards.com
Connection: close


HTTP/1.1 302 Found
Date: Sun, 25 Mar 2007 22:05:24 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.11
Location: http://212.177.15.228/images/postcard.jpg.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Again, don't visit this site unless you know how to handle malware.. and clearly a file called postcard.jpg.exe is going to be harbouring something malicious.

kokocards.com appears to be registered to an innocent party, and www.kokocards.com is hosted on 83.67.218.235 which is a Freedom2Surf address in the UK. However, the subdomain bluemountains.kokocards.com is hosted on the same 212.177.15.228 in Italy that is listed in the 302 redirect - this server also appears to belong to an innocent party.

The nameservers for kokocards.com are ns1.afraid.org and ns2.afraid.org. afraid.org is a free DNS service, so it is likely in some way that the kokocards.com account at afraid.org has been compromised.

In these cases, the spam was received from 69.72.195.26 which belongs to FortressITX in the United States. This is probably a compromised or hacked server.

Malware analysis

Postcard.jpg.exe is a large 720kb file with patchy detection according to VirusTotal.

The prognosis is that it is some variant of Zapchast which is a generic infector. Follow the instructions of your anti-virus vendor for removal or consult a security professional. It is impossible to say how deeply infected a PC might become if running this trojan - if in doubt, rebuild and restore from backup.