dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
August 2006

   Dynamoo 2006

 

 

www.All-Yours.net: Bogus Postcard Messages

10th August 2006

All-Yours.net is a legitimate electronic greetings card web site, who's name is being misused to spread a virus/trojan horse in the form of a downloadable executable file called postcard.exe. This email is carefully constructed to give the impression that the file you are downloading is from All-Yours.net, in fact it is on a completely different site. All-Yours.net does not have anything to do with these emails, nor has the All-Yours.net site been compromised or hacked in any way.

If you receive an email like this, do not click the links. If you want to check to see if the site is genuine, copy and paste the address into your browser's address bar.

The body of the email looks something like this:

    Subject: Your postcard
    From: service@postcard.com

    Hello , .

    A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:
    .

    http://www.all-yours.net/u/view.php?id=a0190313376667.

    If you can't click on the web address above, you can also
    visit E-Greetings at http://www.all-yours.net/
    and enter your pickup code, which is: a0190313376667
    .

    (Your postcard will be available for 60 days.).

    Oh -- and if you'd like to reply with a postcard,
    you can do so by visiting this web address:
    http://www.all-yours.net/
    (Or you can simply click the "reply to this postcard"
    button beneath your postcard!)


    We hope you enjoy your postcard, and if you do,
    please take a moment to send a few yourself!


    Regards,
    1001 E-Greetings and Postcards
    http:///www.all-yours.net/

In this case, the links that appear to be to www.all-yours-net are actually pointing to http://link.pl/~gabriel/postcard.exe although it is most likely that this is a hacked site and that the other content on http://link.pl/~gabriel in no way identifies the people behind this scam.

As of 10/8/06, identification of the payload is patchy. The excellent VirusTotal gives the following analysis:

Antivirus

Version

Update

Result

AntiVir

6.35.1.0

08.10.2006

TR/Zapchast.AU

Authentium

4.93.8

08.09.2006

no virus found

Avast

4.7.844.0

08.09.2006

Win32:Parite

AVG

386

08.09.2006

IRC/BackDoor.Flood

BitDefender

7.2

08.10.2006

Trojan.Zapchas.F

CAT-QuickHeal

8.00

08.09.2006

no virus found

ClamAV

devel-20060426

08.10.2006

Oversized.RAR

DrWeb

4.33

08.09.2006

Win32.Parite.2

eTrust-InoculateIT

23.72.92

08.10.2006

no virus found

eTrust-Vet

30.3.3008

08.10.2006

no virus found

Ewido

4.0

08.10.2006

no virus found

Fortinet

2.77.0.0

08.10.2006

REG/Zapchast.4D53!tr.bdr

F-Prot

3.16f

08.09.2006

no virus found

F-Prot4

4.2.1.29

08.09.2006

no virus found

Ikarus

0.2.65.0

08.09.2006

no virus found

Kaspersky

4.0.2.24

08.10.2006

Backdoor.IRC.Zapchast

McAfee

4825

08.09.2006

IRC/Flood.ev

Microsoft

1.1508

08.04.2006

no virus found

NOD32v2

1.1700

08.10.2006

IRC/Zapchast

Norman

5.90.23

08.09.2006

no virus found

Panda

9.0.0.4

08.09.2006

no virus found

Sophos

4.08.0

08.10.2006

W32/Parite-B

Symantec

8.0

08.10.2006

Trojan.Dropper

TheHacker

5.9.8.189

08.09.2006

Trojan/Dropper.Binder.h

UNA

1.83

08.09.2006

no virus found

VBA32

3.11.0

08.09.2006

Backdoor.IRC.Cloner.ae#9

VirusBuster

4.3.7:9

08.09.2006

IRC.Zapchast.AQ

The trojan payload is broadly identified as a variant of Zapchast.

If you have opened this email, then we recommend that you scan your system thoroughly with a good anti-virus program or a reputable anti-spyware application.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy