BlueMountains Greetings - "You just received an Electronic Greeting"
virus.
25th March 2007
Fake greetings cards are all the rage.. these are
something you should always be careful with and in all
honesty are best avoided altogether. This particular
one appears to be from bluemountain.com and reads:
From:
BlueMountains Greetings <greetings@BlueMountain.com> Subject:
You just received an Electronic Greeting.
Hello,
you just received an electronic greeting from a
friend !
To view your eCard, please click
on the following link :
http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999
(Your postcard will be available for 60 days.)
If you
have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999
Thanks
for using BlueMountain.com.
BlueMountain.com is a pretty well-known and wholly
legitimate online greetings card company, however..
did a little deeper into this email and you find that
the underlying HTML is something quite different:
<html> <head> <title>Electronic
Greeting</title>
Hello,
you just received an electronic greeting from a
friend !<br> <br> To view your
eCard, please click on the following link :<br> <br> <a
href="http://BlueMountains.KoKoCards.com/main.php">http://www.bluemountain.com/view.pd?i=164213761&m=2435&rr=z&source=bma999</a> <br> (Your
postcard will be available for 60 days.)<br> <br> <br> If
you have any comments or questions, please visit http://www.bluemountain.com/customer/emailus.pd?source=bma999 <br> <br> Thanks
for using BlueMountain.com. </body> </html>
Notice that the link is actually http://BlueMountains.KoKoCards.com/main.php
(do not visit this site!). In turn, this site redirects
visitors as follows:
03/25/07
23:04:34 Browsing http://BlueMountains.KoKoCards.com/main.php Fetching
http://BlueMountains.KoKoCards.com/main.php ... GET
/main.php HTTP/1.1 Host: BlueMountains.KoKoCards.com Connection:
close
HTTP/1.1
302 Found Date: Sun, 25 Mar 2007 22:05:24 GMT Server:
Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.11 Location:
http://212.177.15.228/images/postcard.jpg.exe Content-Length:
0 Connection: close Content-Type: text/html;
charset=UTF-8
Again, don't visit this site unless you know how
to handle malware.. and clearly a file called postcard.jpg.exe
is going to be harbouring something malicious.
kokocards.com appears to be registered to
an innocent party, and www.kokocards.com is hosted on
83.67.218.235 which is a Freedom2Surf address in the
UK. However, the subdomain bluemountains.kokocards.com
is hosted on the same 212.177.15.228 in Italy that
is listed in the 302 redirect - this server also appears
to belong to an innocent party.
The nameservers for kokocards.com are ns1.afraid.org
and ns2.afraid.org. afraid.org is a free DNS
service, so it is likely in some way that the kokocards.com
account at afraid.org has been compromised.
In these cases, the spam was received from 69.72.195.26
which belongs to FortressITX in the United States. This
is probably a compromised or hacked server.
Malware analysis
Postcard.jpg.exe is a large 720kb file with patchy
detection according to VirusTotal.
The prognosis is that it is some variant of Zapchast
which is a generic infector. Follow the instructions
of your anti-virus vendor for removal or consult a security
professional. It is impossible to say how deeply infected
a PC might become if running this trojan - if in doubt,
rebuild and restore from backup.
|