Saturday, January 03, 2009

Happy New Year! Here's a Virus! (New Year's Postcard malware)

I've been busy this week looking at the various defacements (see ComputerWorld, and ABC News) and other cyber attacks (see yesterday's blog) going on against Israel, so I hadn't had a chance to look at my New Years Cards yet!

Sadly, all of my New Years Cards were viruses (although I did get two real Christmas Cards by email.)

The most recent ones I looked at arrived this morning, pointing me to the websites:

I decided to see what computers were currently hosting the website "", because, sure enough, it was hosted with Fast Flux.

were some of the computers which recently hosted this domain name. Next we looked at some of those IPs to see what other domains they had also been hosting:

All of those sites seem to have been distributing malware pretending to be a card. They are all related to each other (based on the fact they resolve to the same hacked computers.)

The New Years site that we visited just now looks like this:

Although that looks like a website, it turns out the entire thing is a single file called "img.jpg". Clicking anywhere on the image causes the same result - you are prompted to download "postcard.exe".

postcard.exe is of course a virus. We submitted the virus to Virus Total, and got this Virus Total Analysis indicating that only 16 of 38 anti-virus products knew this was malware. Most of them called it either a version of "ElDorado", or gave it a new name of "Waledac", the latter being the name used by McAfee, Microsoft, and Symantec.

McAfee has a Nice Technical Report on what Waledac does, but basically it harvests all of the email addresses from your computer, sends them to one of many different machines, downloads some spam templates, and begins sending spam.

McAfee's report is from December 26th, and includes subject lines such as:

Merry Christmas greetings for you
You have received an Ecard
A Christmas card from a friend
Happy Xmas !

The domain names listed in the McAfee report of December 26th are all still live and all still distributing the current version of the virus, which has been modified many times since that report to try to prevent detection. So, visting:

gives you the same virus that visiting the current New Years domains would give you.

I know you are probably getting tired of this advice, but it still applies:


My malware team is still enjoying their vacation. If this is still a threat on Monday, we'll dig deeper to determine if the malware performs other actions.

In the meantime, Happy New Year!

Gary Warner
Director of Research
UAB Computer Forensics
The University of Alabama at Birmingham

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.