|
 
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| Re: Fake e-card viruses getting harder to stop from link
"..
All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said. .."
don't click disappoint them instead 
»Selema must really love me...
Cudni
--
"Mercifully, he hit him with the soft end of the pistol." Help yourself so God can help you.MVP, Microsoft Windows Security 2006-2007 | |
|
 | |
| | robo_geek
join:2007-08-09
Roswell, GA
 ·AT&T DSL Service
| Re: Fake e-card viruses getting harder to stop I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it.
Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh)
It literally crashed my web browser when I hit the page (Internet Explorer 6) and installed a stealth trojan downloader virus which was unknown to my WebRoot SpySweeper and MacAfee AV. (despite daily updates) I use a product called Cisco Security Agent which stopped the virus from executing, but could not remove it.
Thus I did not click on any executable, download or view anything. Simply visiting the page would crash the browser and infect the computer.
I went to Trend Micro's 'House Call' website and was able to detect and remove the virus. I sent a sample to MacAfee and they sent me back an updated AV signature which could detect this. After getting the new AV signature I gleefully navigated to the page again, watched my browser crash and then heard the pathetic screams of the virus getting devoured by the AV software. | |
|
| | | |
| | | 
tomazyk
join:2006-12-04 | That's why I use Firefox with Noscript. You never know what you'll get clicking those links. | |
|
| | | |
| | | kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| said by robo_geek  :I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it. Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh) This is why I only click the links from Firefox on a Linux box. 
Someone should develop a tool that will pull the sender's IP address (which is a zombie), as well as the IP address in the embedded URL (also a zombie), and submit them to some central clearinghouse or the ISPs owning the IPs in question so they can be addressed. A central clearinghouse could also produce an IP blacklist from the data culled from these emails.
As it is, my home-brew greylister/spam blocker will do this at least within my domain. If IP 1.2.3.4 sends me an email with a hyperlink pointing to 5.6.7.8, both 1.2.3.4 and 5.6.7.8 would be perma-banned from ever sending email to my domain, ever again.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
mouse
Premium
join:2007-03-29
australia
| I have been swamped by these cards over the last 3 weeks and it does not seem to ease. What surprises me is that almost simultaneously a number of my email addresses that never had any spam have received these and continue to receive them. This must be an outbreak of much higher proportions than what we saw before, otherwise I don't understand why all of a sudden I actually feel bothered.
In the past I received the odd spam, easily handled by a spam program and some caution as the spam email would stick out like the proverbial thumb. Now I receive more spam than real emails and it does not just affect one address.  | |
|
| 
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
·AT&T Midwest
·AT&T Midwest
| Re: Fake e-card viruses getting harder to stop said by mouse :I have been swamped by these cards over the last 3 weeks and it does not seem to ease. What surprises me is that almost simultaneously a number of my email addresses that never had any spam have received these and continue to receive them. This must be an outbreak of much higher proportions than what we saw before, otherwise I don't understand why all of a sudden I actually feel bothered. In the past I received the odd spam, easily handled by a spam program and some caution as the spam email would stick out like the proverbial thumb. Now I receive more spam than real emails and it does not just affect one address. Agreed these e-mails are getting very annoying!!
I too receive more and more of these everyday.My question to this is,there are legit web sites out there that provide these type of e-mails.Are they not getting a little pissed about all of these phony e-mails going around.It definitely has to have hurt their revenues in some way.
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." | |
|
|
| 
delenn13
De gustibus nil disputandum
Premium,MVM
join:2006-03-02
Ridgeway, ON
clubs:
| Re: Fake e-card viruses getting harder to stop I have not gotten one single one from my Gmail or my main account. Now with my Yahoo account in the past 4 weeks or more I probably get 7 or 8 a day from a neighbor, school/classmate, friend. You name it. 
--
"Dismissed. That's a Starfleet expression for 'Get out.'"
Capt. Kathryn Janeway
We CAN Cure Alzheimer's and Cancer. JOIN US HERE | |
|
| |
| | |
| | 
Gooiool
May God bless you.
Premium
join:2006-11-27
Roland, OK
clubs:
| said by astirusty :said by La Luna :I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards"). Just so you don't feel left out, I can "bounce" you several I have gotten.  Just post your e-mail address and I will get right on it. A big ol' lol for that !
--
As always thank you Gooiool ©2005.Team Discovery
Please join us in the fight against cancer and juvenile diseases.Project Hope | |
|
| 
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| I had spam in my Gmail account minutes after creating the account, and continue to get tons of it. Their spam filter works well though (at least for me, YMMV).
--
Proud ASAP member since 2005 | |
|
| 
Pichin
join:2001-07-01
Altamonte Springs, FL | I am not insulted but feeling like...LEFT OUT!!! | |
|
| |
| | 
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
 ·Comcast
·AT&T Southwest
| Re: Fake e-card viruses getting harder to stop said by koam :said by La Luna :I'm insulted, I haven't received one of these emails... You're insulted? All my spam is about my small cock. That would be a chick! | |
|
| | |
roc5955
Premium
join:2005-11-26
Rosendale, NY
·RoadRunner Cable
1 edit | They are especially hard to stop, when you have to maintain over 1000 users. No matter how many times you tell them NOT to open something, they will open it.
I even got one several weeks ago from "an admirer." Being a curmudgeon, I can be sure in the fact that ESPECIALLY this one was false. I have no admirers, and if I did, I would have to kill them.
Oh, and now the spam is coming in the form of .PDF files. Be on the lookout for viagra, penile and breast implant, get rich quick, and other schemes coming attached as .PDFs.
And I am sure that those losers users will open them, even though they have been told not to open anything that they were not expecting.
--
"Understanding is a three-edged sword."
| |
|
PolarBear
The bear formerly known as aaron8301
Premium
join:2005-01-03
·CableOne
| I still have never gotten one. Anyone have one? Forward it to me:
aaron8301 (at) gmail.com
and PM me to let me know you sent it. I'd like to know how Gmail handles it, and if I do indeed get it, how Kaspersky handles it.
--
A computer lets you make more mistakes faster than any other invention, with the possible exceptions of handguns and Tequilla. -- Mitch Ratcliffe | |
|
|
E_V
Premium
join:2000-09-29
Vancouver, BC
clubs:
| I feel badly for the legitimate ecard biz but personally I detest ecards as much as I do chain emails.
I've got a crapload of malware quarantined after looking into these. At least educated users can have some control over the installation for the majority of them. I'm more annoyed by the boatloads of efax spam I get. | |
|
Pichin
join:2001-07-01
Altamonte Springs, FL | can someone forward one to me salpiche at cfl.rr.com
thanks
--
What's the speed of dark?
| |
|
mq8
join:2007-08-17
Orlando, FL
| I've been getting plenty of it for the past couple weeks. Within the past couple days, I've noticed a couple of formats for it:
quote:
I`m in hurry, but i still love you...
(as you can see on the ecard)
»24.xx.xx.32/
quote:
Good day.
Your Neighbor has sent you birthday card from ecard4all.com.
Click on your birthday card link below:
»24.xx.xx.58/
Copyright (c) 1997-2007 ecard4all.com All Rights Reserved
quote:
Hi. Class mate has sent you an ecard.
See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
»24.xx.xx.22/?ea95523893748ae5680c1a02b54ce75
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
greetingcard.org
| |
|
|
tomazyk
join:2006-12-04
| I get a couple of this ecards every day to a Gmail account, where I never got spam before. I download each piece of malware to see if NOD catches it. If not I submit it to Eset and upload a copy to Virustotal for other vendors to get a copy. I don't execute it though | |
|
Bane75
join:2002-09-20
Poway, CA
| We got rid of all of these last week. I put a rule into McAfee Groupshield for Exchange, to delete any emails mentioning E-cards, E-greetings, etc. It is currently deleting about 200 e-mails a day. Pretty much any gateway spam filter or gateway mail scaning AV should be able to take care of this. | |
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | Re: Fake e-card viruses getting harder to stopAn even better way to filter this crap out is to filter any email with an IP address URL in it... in other words, http colon slash slash followed by numeric digits. Some of the newer ones make no mention of e-card or greeting card whatsoever, so subject line filters are no longer effective.
If you can filter using regular expressions:
will do the trick.
If you can't use wildcards or regular expressions (say, in Outlook), set up a rule that filters on:
If you legitimately receive emails with IP address URLs to internal servers (say in a work environment), set up an exception for those, such as
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
| | 
DataDoc
My avatar looks like me, if I was 2D.
Premium
join:2000-05-14
Greenville, NC | Re: Fake e-card viruses getting harder to stop Even easier, in Outlook, just junk any sender not in your Contacts list. | |
|
Midak
Doctors suck
Premium
join:2002-02-26
Yonkers, NY | Wow, I thought this was just the new trend in spam selling bootleg drugs. I get a few every day. | |
|
|
| kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | Re: Fake e-card viruses getting harder to stop Now they're sending out fake "login" or "membership" information emails.
quote:
Welcome Member,
Thank You for Joining Web Joker.
Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858
For security purposes please login and change the temporary Login ID and Password.
Click here to enter our secure server: hxxp://xx.x.xxx.xxx/
Enjoy,
Membership Services
Web Joker
quote:
Greetings,
Welcome To Ringtone Heaven.
User Number: 734983749618
Your Login ID: user9105
Temorary Password: no358
Be Secure. Change your Login ID and Password.
Use this link to change your Login info: hxxp://xx.xx.xx.xx/
Welcome,
New Member Services
Ringtone Heaven
quote:
Welcome Member,
Thank You for Joining Web Joker.
Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858
For security purposes please login and change the temporary Login ID and Password.
Click here to enter our secure server: hxxp://xx.x.xxx.xxx/
Enjoy,
Membership Services
Web Joker
If I hadn't already created a filter on IP URLs I could filter on "temorary".
The site shows:
quote:
If you do not see the Secure Login Window please install our Secure Login Applet.
which links to an "applet.exe". Here's scan results using the scanners I have on my Linux box:
quote:
kpatz@zuul:~/Desktop$ f-prot -ai applet.exe
Virus scanning report - 21 August 2007 @ 8:11
F-PROT ANTIVIRUS
Program version: 4.6.7
Engine version: 3.16.15
VIRUS SIGNATURE FILES
SIGN.DEF created 20 August 2007
SIGN2.DEF created 20 August 2007
MACRO.DEF created 20 August 2007
Search: applet.exe
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER -AI
/home/kpatz/Desktop/applet.exe Infection: Possibly a new variant of W32/Fathom.2-based!Maximus
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:00
kpatz@zuul:~/Desktop$ clamscan applet.exe
applet.exe: Trojan.Small-3614 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 148124
Engine version: devel-20070413
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.11 MB
Time: 141.254 sec (2 m 21 s)
kpatz@zuul:~/Desktop$ avgscan applet.exe
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.47, engine 442
Virus Database: Version 269.12.1/963 2007-08-20
License type is FREE.
applet.exe Trojan horse Downloader.Tibs.7.D
Tested: 1 files, 0 sectors
Infections: 1
Errors: 0
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. | |
|
| | mq8
join:2007-08-17
Orlando, FL
| Re: Fake e-card viruses getting harder to stop said by kpatz :Now they're sending out fake "login" or "membership" information emails. Yep. I have stopped receiving the e-card e-mails and have began receiving a ton of different sites that I supposedly signed up at. | |
|
Tommyastro
join:2004-01-18
Poughkeepsie, NY | I've got a couple in the past 3 weeks but I use Macs so......meh! | |
|
|
|
|
|
·
·
·
