Chris Mosby at myITforum.com

Xmas eCard Spam - Malicious Downloader

'Tis the season of exchanging greetings, what with Thanksgiving and Xmas rounding out the year's end. Unfortunately, malicious code writers are on the job trying to exploit these occasions by sending out mass spam email greeting cards with attractive and fancy links that serve the purpose of downloading malicious files to a victim's computer.

These eCards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the eCards, which have underlying tricks to try and infect the computer. With the Xmas bells starting to ring, here is the first incidence where Xmas ecards have started doing the rounds. The URL included in the eCards attempts to download "sos385.tmp" file, which is a downloader.

In this particular sample below, the "From:" header alias is displaying an eCard from a well known company; however, it is of course a spoofed header. The spammer has also deliberately inserted the text "(no worm , no virus)" inside the mail body to mislead the victim and entice them to click on the link.

Sample email:

To: [Removed]

Subject: This is my one-off Xmase-card for you ^_^ Very nice

From: ***** Ecard !!! XXXXX@*mail.com

Date: Sat, 17 Nov 2007 05:11:16 -0600

Reply-To:

Mail body:

http://uklotttery.us/?id=ecard << This is my one-off Xmase-card for you ^_^ Very nice

(no worm , no virus)

Please be aware of this and other suspicious emails that are circulating. Do not open any links in emails that have been sent from a sender that you do not know; in fact, it is often best if you don't even open an email if you do not recognize the sender and are not expecting the email in the first place.

Posted by Jitender Sarda on December 4, 2007 05:00 AM

Source: Symantec Security Response Weblog: Xmas eCard Spam - Malicious Downloader