New Run of Greeting Card Trojans
<someone> has created <adjective> card for you at <greeting card company>. To see your custom <adjective> card, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):<Malicious IP address>
Send a FREE greeting card from <greeting card company> whenever you want by visiting us at: http://<greeting card company>.com/
This service is provided and hosted by <greeting card company>.
Observed subject lines and <adjectives> include:
Animated card
Love postcard
Thank you postcard
Birthday e-card
Animated e-card
Funny card
Holiday ecard
Musical e-card
Observed <greeting card company> list includes:
e-cards.com
free-e-cards-online.com
regards.com
postcards.org
egreetings.com
funnygreetings.net
2000greetings.com
1lovecards.com
Note: the above greeting card companies are being spoofed and are themselves a victim as their names are being used by the attackers for nefarious purpose (i.e. to trick recipients into believing the cards are legitimate).
The link included in the greeting card scam points to a web page which reads in part:
"To view your ecard, you need to have Microsoft Data Access installed on your computer.
To obtain a free copy of Microsoft Data Access, please click here."
That link points to msdataaccess.exe, detected by antivirus scanners as a variant of the so-called Storm worm (aka Nuwar, Zhelatin, Peacomm) family of Trojans and worms. If opened, the Trojan drops spooldr.exe to the Windows folder and drops spooldr.sys to the <system> folder (typically, C:\Windows\System under Windows 95/98/ME, C:\Winnt\System32 under Windows NT/2000, and C:\Windows\System32 under Windows XP/Vista). It also modifies <system>\drivers\tcpip.sys. It tries to disable/bypass a large number of security products, joins a peer-to-peer botnet and gets ready to receive commands from a wide range IP addresses involved in the P2P botnet (currently at least 233, according to PC Tools' ThreatExpert).
Comments
How do you remove this virus?
I just got this – it is currently pointed to (link removed) – which looks to be an SBC system. But SBC is not providing any obvious method of reporting fraud on their network.
On the other hand, if I want to talk to them about buying some service, they’re all over that.
I got the email greeting card virus on July 26th and can’t get rid of it with 3 virus protections on my computer. How can I get rid of it?
First and foremost, if you have got this virus or others… consider contacting your anti-virus providers. These toxic files shouldn’t have even made it past your anti-virus software to your computer’s hard-drive. However, it is quite possible those viruses were “in the wild” at the point of contamination. Variants are also a problem.
I would suggest a free online viral check from each major anti-virus providers; such as Norton, Trend, and others. Usually, those free services will also help to clean up the damage.
Secondly, if using a newer Windows OS… you can use the ‘Restore’ feature to travel back in time, before infection by maybe a day back or so. Then, clean-up the system restore points until the “safe day”.
I was only tricked once in the past, but that one occurrence had certainly taught me to think-before-opening an attachment or link. Needless to say, I don’t accept any attachments in my e-mails any longer. If I must, I will download them onto my desktop to pass rigorous scanning before I attempt to open something deemed vital.
Bottom line – contact any major anti-virus vendor for help to remove the said virus. Most would be happy to lend a hand, promoting their business sense.
Above all, make sure your OS is updated with all patches/hot fixes.
Good luck and surf safe.
Spamming isn’t usually funny, but this online comic talks about the Storm worm:
http://www.itgumbo.com/mumbogumbo/2007/09/spammorists_already_winning.php