Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links

Updated
August 2006

www.All-Yours.net: Bogus Postcard Messages

10th August 2006

All-Yours.net is a legitimate electronic greetings card web site, who's name is being misused to spread a virus/trojan horse in the form of a downloadable executable file called postcard.exe. This email is carefully constructed to give the impression that the file you are downloading is from All-Yours.net, in fact it is on a completely different site. All-Yours.net does not have anything to do with these emails, nor has the All-Yours.net site been compromised or hacked in any way.

If you receive an email like this, do not click the links. If you want to check to see if the site is genuine, copy and paste the address into your browser's address bar.

The body of the email looks something like this:

Subject: Your postcard
From: service@postcard.com

Hello , .

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:
.

http://www.all-yours.net/u/view.php?id=a0190313376667.

If you can't click on the web address above, you can also
visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667.

(Your postcard will be available for 60 days.).

Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www.all-yours.net/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)

We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!

Regards,
1001 E-Greetings and Postcards
http:///www.all-yours.net/

In this case, the links that appear to be to www.all-yours-net are actually pointing to http://link.pl/~gabriel/postcard.exe although it is most likely that this is a hacked site and that the other content on http://link.pl/~gabriel in no way identifies the people behind this scam.

As of 10/8/06, identification of the payload is patchy. The excellent VirusTotal gives the following analysis:

Antivirus	Version	Update	Result
AntiVir	6.35.1.0	08.10.2006	TR/Zapchast.AU
Authentium	4.93.8	08.09.2006	no virus found
Avast	4.7.844.0	08.09.2006	Win32:Parite
AVG	386	08.09.2006	IRC/BackDoor.Flood
BitDefender	7.2	08.10.2006	Trojan.Zapchas.F
CAT-QuickHeal	8.00	08.09.2006	no virus found
ClamAV	devel-20060426	08.10.2006	Oversized.RAR
DrWeb	4.33	08.09.2006	Win32.Parite.2
eTrust-InoculateIT	23.72.92	08.10.2006	no virus found
eTrust-Vet	30.3.3008	08.10.2006	no virus found
Ewido	4.0	08.10.2006	no virus found
Fortinet	2.77.0.0	08.10.2006	REG/Zapchast.4D53!tr.bdr
F-Prot	3.16f	08.09.2006	no virus found
F-Prot4	4.2.1.29	08.09.2006	no virus found
Ikarus	0.2.65.0	08.09.2006	no virus found
Kaspersky	4.0.2.24	08.10.2006	Backdoor.IRC.Zapchast
McAfee	4825	08.09.2006	IRC/Flood.ev
Microsoft	1.1508	08.04.2006	no virus found
NOD32v2	1.1700	08.10.2006	IRC/Zapchast
Norman	5.90.23	08.09.2006	no virus found
Panda	9.0.0.4	08.09.2006	no virus found
Sophos	4.08.0	08.10.2006	W32/Parite-B
Symantec	8.0	08.10.2006	Trojan.Dropper
TheHacker	5.9.8.189	08.09.2006	Trojan/Dropper.Binder.h
UNA	1.83	08.09.2006	no virus found
VBA32	3.11.0	08.09.2006	Backdoor.IRC.Cloner.ae#9
VirusBuster	4.3.7:9	08.09.2006	IRC.Zapchast.AQ

The trojan payload is broadly identified as a variant of Zapchast.

If you have opened this email, then we recommend that you scan your system thoroughly with a good anti-virus program or a reputable anti-spyware application.

home technical diary webmaster stuff orange book shop contact links your privacy