eCard worm: The new batch!
By secgeeks - Posted on November 11th, 2008
Tagged:
- adwords google
- antivirus microsoft
- ceo job
- ceo john
- challenges
- computing architecture
- critical assets
- e greeting cards
- forefront client security
- google adwords
- john thompson
- jose mercury news
- jpg extension
- microsoft security response center
- mirc client
- national infrastructure advisory committee
- national security applications
- nicholas purcell
- open source tools
- protection mechanisms
- security consultancy
- server message block
- social networking sites
545
vote
After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the From header is spoofed):
This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a WinRAR SFX file, following screenshot shows files bundled in the dropper:
When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers 89.46.165.197 (whois) and 210.51.167.75 (whois). An automated analysis of this malware is avilable at ThreatExpert.
Bookmark/Search this post with:
Trackback URL for this post:
http://secgeeks.com/trackback/2608
Recent comments
12 weeks 1 day ago
1 year 2 weeks ago
1 year 3 weeks ago
1 year 6 weeks ago
1 year 6 weeks ago
1 year 6 weeks ago
1 year 6 weeks ago
1 year 12 weeks ago
1 year 20 weeks ago
1 year 21 weeks ago