Select Page

Clicking on the spammed link takes you to a page that tells you that you need to update your Flash player to view the card.

However, the cab file that downloads is actually malicious and installs a variant of (aka ntos or Monster Trojan). This is a very nasty data-stealing trojan. In fact, it’s an even more dangerous variant of as it is using a rootkit to hide.


The American Greetings page is convincing, and the Active/X install is signed.





Very poor detection (4 out of 32 scanners) of the cab file itself (VT result here), and poor detection (5 out of 32 scanners) of the actual binary, “update.exe” (VT result here). (We will have detection in CounterSpy for this Trojan in short order.)

Alex Eckelberry
(Thanks Adam)