Postcard.exe - Let the mutations begin

Published: 2006-12-30
Last Updated: 2006-12-30 18:51:06 UTC
by Brian Granier (Version: 1)
0 comment(s)
At this time, we have received one report from reader Thomas who reports having seen variants of the email containing the postcard.exe attachment as previously reported. These variants may be changing the subject lines, but are definately changing the executable name. Reported name variants are "greeting card.exe", "greeting postcard.exe" and "GreetingCard.exe". I have been unable to independantly validate whether or not this variation is now widespread and the AV sites don't seem to be mentioning it yet. Write in and let us know if you're seeing these variants as well and send in samples if you can so we can determine if it's just a renamed version of the original or if there's other changes occuring in the code as well.

Update UTC1655: Several respondants have confirmed the behavior reported by Thomas. Known variations are as follows:

postcard.exe
Postcard.exe
greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe

Subject lines appear to be changing with a much larger bank of possibilities. I anticipate AV vendors will begin to ducment this. A list was provided by reader Diego. This is a good start, but most likely partial:

Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year!

Update UTC1845:

Reader Ken sent a note about two snort rules that are triggering against emails associated with this virus. The first rule can not be published here as it is a licensed rule under vrt license, which can be obtained from snort.org. Specifically it is used for detecting netsky attachments and has a sid of 9425.

The other rule, however, is public domain. Here it is:
VIRUS OUTBOUND bad file attachment

alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file attachment";flow:to_server,established;content:"Content-Disposition|3A|";
<BR>>nocase;pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])
(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)
|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR";
classtype:suspicious-filename-detect;sid:721;rev:8;)


Keywords:
0 comment(s)

Comments


Diary Archives