Virus spreading through email: You ve received A Hallmark E-Card!

Today I received a new suspicious email related to e-cards and postcards online:

Subject: You’ve received A Hallmark E-Card!

And below there is the full content of the message:

From: postcards@hallmark.com
Date: Mon, November 17, 2008 3:21 pm
Priority: Normal

You have recieved A Hallmark E-Card. Hello!

You have recieved a Hallmark E-Card from your friend.
To see it, check the attachment. There’s something special about that E-Card feeling. We invite you to make a friend s day and send one.

Hope to see you soon,
Your friends at Hallmark

And below there is the header of the email:

1
2
3
4
5
6
7
8
Received: from outbound03.telus.net (outbound03.telus.net [199.185.220.222])
Received: from priv-edtnaa04.telusplanet.net ([142.59.20.61])
by priv-edtnes29.telusplanet.net
(InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP
id <20081117152405.HNUM5977.priv-edtnes29.telusplanet.net@priv-edtnaa04.telusplanet.net>
for xxxxxxxxxxxxxxxxxxxxxxxxx; Mon, 17 Nov 2008 08:24:05 -0700
Received: from hallmark.com (d142-59-20-61.abhsia.telus.net [142.59.20.61])
by priv-edtnaa04.telusplanet.net (BorderWare Security Platform) with ESMTP

But there is a surprise attached in the email, it is a ZIP compressed file named postcard.zip that contains an executable file named postcard.exe:

Screenshot of the executable inside the ZIP archive

Report Generated 19.11.2008 at 2.28.02 (GMT 1)
Filename: postcard.exe
File size: 195 KB
MD5 Hash: DEC558ED05A4E33C7F71769D3832F107
SHA1 Hash: 073EB35EBA241A631F900A67D10D794B25EEB28C
CRC32: 516788017
Application Type: Executable (EXE) 32bit
Packer detected: Microsoft Visual C++ 6.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 10 on 23

Avira AntiVir TR/Dropper.Gen
Avast Win32:Autorun-APG [Wrm]
AVG Trojan horse Dropper.Generic.ADTI
BitDefender DeepScan:Generic.Mydoom.05FFBD97
F-PROT 6 W32/Backdoor2.DJES
G DATA Worm.Win32.AutoRun.shm A
IkarusT3 Generic.Mydoom
Kaspersky Worm.Win32.AutoRun.shm
NOD32 v3 Win32/Injector.DG trojan
Sophos Troj/Agent-IGK

Make sure to not fall in this scam, if you have received similar emails, it is recommended to not open them and to scan your system with a security software.

Check always the header of the email by searching the IP address or the hostname of the sender and then make a query in google to find if it has committed malicious actions.

Random Posts

Previous Posts