Select Page

Clicking on the spammed link takes you to a page that tells you that you need to update your Flash player to view the card.

However, the cab file that downloads is actually malicious and installs a variant of small.lu (aka ntos or Monster Trojan). This is a very nasty data-stealing trojan. In fact, it’s an even more dangerous variant of Small.lu as it is using a rootkit to hide.

Ecard213912388

The American Greetings page is convincing, and the Active/X install is signed.

Greetings21381283128388

Greetings21381283128388a

Greetings21381283128388b

Greetings21381283128388c

Very poor detection (4 out of 32 scanners) of the cab file itself (VT result here), and poor detection (5 out of 32 scanners) of the actual binary, “update.exe” (VT result here). (We will have detection in CounterSpy for this Trojan in short order.)

Alex Eckelberry
(Thanks Adam)