Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Riding out yet Another Storm Wave

Sadly you won't need a surf board for this one.  Just to give you a
heads up, there is a new round of emails with malicious links that is
making its way to the inbox of many folks.  If you haven't gotten one
yet, just give it time.   Here is quick summary of what we have found. 

The subject line that we have gotten examples
of have all been identical.  You may have gotten something else.

"Subject: You've received a postcard from a family member!"

The following is an excerpt from the email body.  (WARNING:  Do NOT


Click on the following Internet address or
copy & paste it into your browser's address box.


Copy & paste the ecard number in the "View Your Card" box at

Your ecard number is

The ecard numbers in the URL above are variable across SPAM samples.

Several additional examples for pattern freaks :):


The website has an interesting javascript that appears to have multiple ways to exploit a browser in order to compromise a system.  If javascript is enabled, then you get:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7  which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get ecard.exe = MD5: 30051dc10636730e4d6402ef8e88fd04.  Here is what a user would see:

 "We are currently testing a new browser feature. If you are not able to
view this ecard, please click here to view in its original format."

Here is a listing of just a handful of the 10s to 100s of thousands of
infected home systems.  Every storm infected system is potentially
capable of hosting the malware and sending the SPAM, but only a few will
be used in any given SPAM run depending on how many emails they want
sent and how many web hits they're expecting. You will notice the
Country/Network diversity and the predominance of broadband providers
(data courtesy of Team Cymru)

AS    | IP              | BGP Prefix       | CC | Registry | AS Name
5603  | |  | SI | ripencc  | SIOL-NET
SiOL Internet
29737 |   |  | US | arin     |
16810 |    |     | US | arin     | CAVTEL02 -
Cavalier Telephone
7132  |  |    | US | arin     | SBIS-AS -
AT&T Internet Svcs/Ameritech
7132  |   |    | US | arin     | SBIS-AS -
AT&T Internet Svcs/SBC Global
3320  |   |    | DE | ripencc  | DTAG
Deutsche Telekom/
12392 |    |    | BE | ripencc  | ASBRUTELE
AS/Brutele SC
21502 |    |     | FR | ripencc  |
18881 |   |   | BR | lacnic   | Global
Village Telecom
25515 | | | RU | ripencc  | CTCNET-AS
Joint-Stock Central Telecom.
8642  |  |    | SE | ripencc  | B2 B2

As you can see, detection is skimpy at this point. The key detect below
is "Tibs". (aka Storm/Nuwar/Peacomm)

Complete scanning result of "ecard.exe", received in VirusTotal at
06.28.2007, 21:24:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.27.0 06.28.2007  no virus found
AntiVir 06.28.2007 HEUR/Crypted
Authentium 4.93.8 06.27.2007  no virus found
Avast 4.7.997.0 06.27.2007  no virus found
AVG 06.28.2007  no virus found
BitDefender 7.2 06.28.2007  no virus found
CAT-QuickHeal 9.00 06.27.2007  no virus found
ClamAV devel-20070416 06.28.2007  no virus found
DrWeb 4.33 06.28.2007  no virus found
eSafe 06.27.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3747 06.28.2007  no virus found
Ewido 4.0 06.27.2007  no virus found
FileAdvisor 1 06.28.2007  no virus found
Fortinet 06.28.2007  no virus found
F-Prot 06.28.2007  no virus found
F-Secure 6.70.13030.0 06.28.2007 Tibs.gen118
Ikarus T3.1.1.8 06.28.2007  no virus found
Kaspersky 06.28.2007  no virus found
McAfee 5062 06.27.2007  no virus found
Microsoft 1.2701 06.28.2007  no virus found
NOD32v2 2360 06.28.2007  no virus found
Norman 5.80.02 06.27.2007 Tibs.gen118
Panda 06.28.2007 Suspicious file
Sophos 4.19.0 06.24.2007  no virus found
Sunbelt 2.2.907.0 06.27.2007 VIPRE.Suspicious
Symantec 10 06.28.2007  no virus found
TheHacker 06.28.2007  no virus found
VBA32 06.27.2007  no virus found
VirusBuster 4.3.23:9 06.27.2007  no virus found
Webwasher-Gateway 6.0.1 06.28.2007 Heuristic.Crypted

Aditional Information
File size: 7915 bytes
MD5: 30051dc10636730e4d6402ef8e88fd04
SHA1: 05368309bf89a78d680e239f58ec39bb0f8963b6




165 Posts
ISC Handler
Jun 28th 2007

Sign Up for Free or Log In to start participating in the conversation!