Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Storm Worm - Features Dangerous Animated E-card Links


  • Please log in to reply
3 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:54 AM

Posted 14 August 2007 - 01:11 PM

Below are recent samples (with all URLs made safer) of email that should be deleted. The numerical links found in these messages may trigger an AUTOMATIC download and install of a very malicious copy of the Nuwar worm. This family of viruses is among the most advanced malware circulating using rootkit, botnet, polymorphism, and other techniques.

AV Protection may or may not be available for these new leading edge variants. It's always advisable to never click on URLs or attachments whenever possible in email messages - even in those which may appear to be safe.

==========================================

From: *********
To: Harry
Subject: Movie-quality e-card
Date: Mon, 13 Aug 2007 10:27:08 -0400

Mother() has created Movie-quality e-card for you at perfectgreetings.com.

To see your custom Movie-quality e-card, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?bd9a4815755ec21d93815f9518b32f6c9fb697

Send a FREE greeting card from perfectgreetings.com whenever you want by visiting us at: hxxp://perfectgreetings.com/

This service is provided and hosted by perfectgreetings.com.


==========================================


From: *********
To: Harry 
Subject: Animated postcard 
Date: Tue, 14 Aug 2007 12:40:40 +0200 

School-mate() has created Animated postcard for you at greetingsisland.com.

To see your custom Animated postcard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?23407b969d2b1d96eb463c6da46ca

Send a FREE greeting card from greetingsisland.com whenever you want by visiting us at: hxxp://greetingsisland.com/

This service is provided and hosted by greetingsisland.com



==========================================


From: *********
To: Harry
Subject: Greeting ecard
Date: Tue, 14 Aug 2007 02:53:35 -0400

Uncle() has created Greeting ecard for you at hallmark.com.

To see your custom Greeting ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?42a6de1712445fd9c2b5

Send a FREE greeting card from hallmark.com whenever you want by visiting us at: hxxp://hallmark.com/

This service is provided and hosted by hallmark.com.


BC AdBot (Login to Remove)

 


#2 dfence

dfence

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne
  • Local time:07:54 PM

Posted 14 August 2007 - 04:41 PM

hmmmm i did receive one of these, and coincidentally the "name" used as the sender of the "postcard" was someone i knew. In trying to click the link IE6 errored out to it's standard "Cannot find page check that ........ blah blah blah". So i then checked the name of the site and did find what appeared to be a legitimate web-based greeting card site, after several attempts i gave up on the thing, contacted my friend who subsequently denied any knowledge, so i deleted the email.

All my security devices have not detected anything, my PC seems as it always seems, but thank you for the heads-up i shall be a lot more carefull
I'm not as think as you drunk I am

#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:54 AM

Posted 16 August 2007 - 10:12 AM

Below are recent links on the latest "animated e-card variants".

One point of concern comes from AVERT Labs on the constant repackaging of Nuwar to evade AV detections EVERY FEW MINUTES. No wonder AV vendors are in the 30% detection range, as Nuwar is constantly mutating in an automated fashion.

A few years ago, security researchers speculated on the "super worm" that would constantly mutate so that AV detection strings couldn't keep pace with in-the-wild copies circulating. Unfortunately, we're getting closer to seeing this prediction come true :thumbsup:

AVERT LABS - Keeping up with Nuwar
http://www.avertlabs.com/research/blog/ind...-up-with-nuwar/

Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them ...


F-Secure - Zhelatin gang changing tactics
http://www.f-secure.com/weblog/archives/ar...7.html#00001249

Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out. The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.Since last night, the messages have changed. You still get the normal greeting card spam. But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer ...


WebSense Alert on new storm worm
http://www.websense.com/securitylabs/alert...php?AlertID=792

#4 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:54 AM

Posted 17 August 2007 - 01:08 PM

hmmmm i did receive one of these, and coincidentally the "name" used as the sender of the "postcard" was someone i knew. In trying to click the link IE6 errored out to it's standard "Cannot find page check that ........ blah blah blah". So i then checked the name of the site and did find what appeared to be a legitimate web-based greeting card site, after several attempts i gave up on the thing, contacted my friend who subsequently denied any knowledge, so i deleted the email


Hi DFence ... As this version of Nuwar uses malicious websites, the numerical site you selected may have been taken offline (e.g., many security firms work with authorities and server hosting sites to take these offline where they can). Unfortunately the e-card social engineering is so well done, it almost fooled me the 1st time I got one of these a couple of months ago.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users