exocet_cm
In memory of dadkins
Premium
join:2003-03-23
New Orleans, LA
clubs:  
 ·Cox HSI
·Suddenlink
 ·Cingular Wireless
 ·AT&T Southeast
·Charter Pipeline
| reply to daveinpoway
Re: Fake e-card viruses getting harder to stop
I just cleaned up a laptop which the user got infected by an e-card. "John, I got a e-mail card from my mom and opened it up. After that a window poped up near the clock and my computer is really slow. What happened?"
Doh!
At least this one was easy to clean, the "usual" programs removed everything.
--
"I have measured out my life with coffee spoons..." - T.S Eliot
Check Out the Tech Bench »johnball.wordpress.com/tech-bench/
Ma blog: »www.johndball.com |
|
mq8
join:2007-08-17
Orlando, FL
| reply to kpatz
said by kpatz  :Now they're sending out fake "login" or "membership" information emails. Yep. I have stopped receiving the e-card e-mails and have began receiving a ton of different sites that I supposedly signed up at. |
|
Tommyastro
join:2004-01-18
Poughkeepsie, NY | reply to daveinpoway
I've got a couple in the past 3 weeks but I use Macs so......meh! |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to BIGbadjohn
Now they're sending out fake "login" or "membership" information emails.
quote:
Welcome Member,
Thank You for Joining Web Joker.
Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858
For security purposes please login and change the temporary Login ID and Password.
Click here to enter our secure server: hxxp://xx.x.xxx.xxx/
Enjoy,
Membership Services
Web Joker
quote:
Greetings,
Welcome To Ringtone Heaven.
User Number: 734983749618
Your Login ID: user9105
Temorary Password: no358
Be Secure. Change your Login ID and Password.
Use this link to change your Login info: hxxp://xx.xx.xx.xx/
Welcome,
New Member Services
Ringtone Heaven
quote:
Welcome Member,
Thank You for Joining Web Joker.
Membership Number: 378812391
Temorary Login: user3138
Temorary Password: on858
For security purposes please login and change the temporary Login ID and Password.
Click here to enter our secure server: hxxp://xx.x.xxx.xxx/
Enjoy,
Membership Services
Web Joker
If I hadn't already created a filter on IP URLs I could filter on "temorary". 
The site shows:
quote:
If you do not see the Secure Login Window please install our Secure Login Applet.
which links to an "applet.exe". Here's scan results using the scanners I have on my Linux box:
quote:
kpatz@zuul:~/Desktop$ f-prot -ai applet.exe
Virus scanning report - 21 August 2007 @ 8:11
F-PROT ANTIVIRUS
Program version: 4.6.7
Engine version: 3.16.15
VIRUS SIGNATURE FILES
SIGN.DEF created 20 August 2007
SIGN2.DEF created 20 August 2007
MACRO.DEF created 20 August 2007
Search: applet.exe
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER -AI
/home/kpatz/Desktop/applet.exe Infection: Possibly a new variant of W32/Fathom.2-based!Maximus
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Infected: 0
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0
Time: 0:00
kpatz@zuul:~/Desktop$ clamscan applet.exe
applet.exe: Trojan.Small-3614 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 148124
Engine version: devel-20070413
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.11 MB
Time: 141.254 sec (2 m 21 s)
kpatz@zuul:~/Desktop$ avgscan applet.exe
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.47, engine 442
Virus Database: Version 269.12.1/963 2007-08-20
License type is FREE.
applet.exe Trojan horse Downloader.Tibs.7.D
Tested: 1 files, 0 sectors
Infections: 1
Errors: 0
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
BIGbadjohn
HI JFK, you frightened us back in 1962
Premium
join:2003-03-05
Ireland
·Fast.co.uk
| reply to daveinpoway
I have a problem with it myself. For some reason most of it comes through my DSLR email address.
I also took a chance with one and got away with it. Good old Nod32 was sitting waiting for the pounce and saved the day. I don't do it anymore, too much like playing with fire. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to robo_geek
said by robo_geek :I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it. Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh) This is why I only click the links from Firefox on a Linux box. 
Someone should develop a tool that will pull the sender's IP address (which is a zombie), as well as the IP address in the embedded URL (also a zombie), and submit them to some central clearinghouse or the ISPs owning the IPs in question so they can be addressed. A central clearinghouse could also produce an IP blacklist from the data culled from these emails.
As it is, my home-brew greylister/spam blocker will do this at least within my domain. If IP 1.2.3.4 sends me an email with a hyperlink pointing to 5.6.7.8, both 1.2.3.4 and 5.6.7.8 would be perma-banned from ever sending email to my domain, ever again.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
deke40
Premium
join:2003-01-23
Freeport, Tx
·Comcast
| reply to robo_geek
robo_geek
Glad to know I wasn't the only one that got curious about one of the ecards.
Clicked on the link and my old Acer started humming to beat the band. My free AVG jumped up and grabbed the evil devil and I deleted it from the vault.
Just swithched to a Comcast email address and the ecards have went to 0 until my computer illiterate friends who don't know how to Bcc: get my new address passed around to everybody on their mailing list.  |
|
Midak
Doctors suck
Premium
join:2002-02-26
Yonkers, NY | reply to daveinpoway
Wow, I thought this was just the new trend in spam selling bootleg drugs. I get a few every day. |
|
tomazyk
join:2006-12-04 | reply to robo_geek
That's why I use Firefox with Noscript. You never know what you'll get clicking those links. |
|
NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN
·AT&T Southeast
 ·Vonage
·Cingular Wireless
·AT&T CallVantage
| reply to robo_geek
Hmmm, perhaps I should have included the following standard boilerplate disclaimer/warning with my previous post.
said by NetFixer :The preceding test was done by an IT professional on an isolated test computer. The results displayed may not be repeatable for different emails or payloads. Do not try this on your computer!
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
DataDoc
My avatar looks like me, if I was 2D.
Premium
join:2000-05-14
Greenville, NC | reply to kpatz
Even easier, in Outlook, just junk any sender not in your Contacts list. |
|
robo_geek
join:2007-08-09
Roswell, GA
·AT&T DSL Service
| reply to NetFixer
I was curious and went to the site listed in a link given in a fake e-card I got. I knew it was a fake e-card, and I knew it might have some virus or spyware associated with it.
Despite having all my spyware/anti-virus all cranked up, the base URL of the webpage had a javascript buffer-overflow exploit built right into the index.html of the web page. (ugh)
It literally crashed my web browser when I hit the page (Internet Explorer 6) and installed a stealth trojan downloader virus which was unknown to my WebRoot SpySweeper and MacAfee AV. (despite daily updates) I use a product called Cisco Security Agent which stopped the virus from executing, but could not remove it.
Thus I did not click on any executable, download or view anything. Simply visiting the page would crash the browser and infect the computer.
I went to Trend Micro's 'House Call' website and was able to detect and remove the virus. I sent a sample to MacAfee and they sent me back an updated AV signature which could detect this. After getting the new AV signature I gleefully navigated to the page again, watched my browser crash and then heard the pathetic screams of the virus getting devoured by the AV software. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
1 edit | reply to Bane75
An even better way to filter this crap out is to filter any email with an IP address URL in it... in other words, http colon slash slash followed by numeric digits. Some of the newer ones make no mention of e-card or greeting card whatsoever, so subject line filters are no longer effective.
If you can filter using regular expressions:
will do the trick.
If you can't use wildcards or regular expressions (say, in Outlook), set up a rule that filters on:
If you legitimately receive emails with IP address URLs to internal servers (say in a work environment), set up an exception for those, such as
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
Bane75
join:2002-09-20
Poway, CA
| reply to daveinpoway
We got rid of all of these last week. I put a rule into McAfee Groupshield for Exchange, to delete any emails mentioning E-cards, E-greetings, etc. It is currently deleting about 200 e-mails a day. Pretty much any gateway spam filter or gateway mail scaning AV should be able to take care of this. |
|
tomazyk
join:2006-12-04
| reply to daveinpoway
I get a couple of this ecards every day to a Gmail account, where I never got spam before. I download each piece of malware to see if NOD catches it. If not I submit it to Eset and upload a copy to Virustotal for other vendors to get a copy. I don't execute it though  |
|
margaf77
join:2000-12-22
Bayonne, NJ
·Optimum Online
 ·Verizon FIOS
·RoadRunner Cable
| reply to daveinpoway
I have seen a couple sent to emails I have that get 1-2 pieces of spam every 6 months lately, it definitely becoming a big problem if Im getting them on these accounts.
Has anyone started getting pdfs from bogus email address lately. Ive been seeing this and my wife has at her work email lately. I figure there must be an exploit they are trying to use. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to koam
said by koam :said by La Luna :I'm insulted, I haven't received one of these emails... You're insulted? All my spam is about my small cock. So is mine....and I don't even have one, I guess they think I must know someone who needs help, lol....
Seriously, these spammers are a joke, I can't imagine that anyone would fall for the blatant spam (as opposed to the more *creative* stuff), but sadly, I guess they do or the spammers wouldn't be bothered. 
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
mq8
join:2007-08-17
Orlando, FL
| reply to daveinpoway
I've been getting plenty of it for the past couple weeks. Within the past couple days, I've noticed a couple of formats for it:
quote:
I`m in hurry, but i still love you...
(as you can see on the ecard)
»24.xx.xx.32/
quote:
Good day.
Your Neighbor has sent you birthday card from ecard4all.com.
Click on your birthday card link below:
»24.xx.xx.58/
Copyright (c) 1997-2007 ecard4all.com All Rights Reserved
quote:
Hi. Class mate has sent you an ecard.
See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
»24.xx.xx.22/?ea95523893748ae5680c1a02b54ce75
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
greetingcard.org
|
|
Gooiool
May God bless you.
Premium
join:2006-11-27
Roland, OK
clubs:
| reply to astirusty
said by astirusty :said by La Luna :I'm insulted, I haven't received one of these emails, in either my primary ISP email account or my gmail account (I get tons of spam in gmail daily, but none of those "cards"). Just so you don't feel left out, I can "bounce" you several I have gotten. Just post your e-mail address and I will get right on it.  A big ol' lol for that !
--
As always thank you Gooiool ©2005.Team Discovery
Please join us in the fight against cancer and juvenile diseases.Project Hope |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| reply to koam
said by koam :said by La Luna :I'm insulted, I haven't received one of these emails... You're insulted? All my spam is about my small cock. That would be a chick! |
|
