Select Page

Faithful blog reader Jack Duggan sent me this little example of greeting card malware:

Date: Tue, 26 Sep 2006 18:37:33 +0000
From: Abigail <[email protected]>
Subject: You’ve got an “e-card” at .greeting-cards.com..
Reply-to: Abigail <[email protected]>
X-Virus-Scanned: by amavisd-new at voltronik.pl
User-Agent: Mozilla 4.73 [en]C-SYMPA  (Win98; U)
Original-recipient: rfc822;[email protected]

Dear recipient !
sender at Abigail sent you an “e-card”
“Here’s the Rub” from ‘greeting-cards’ !
Click_here_to_view_the_”e-card”.

This ecard will be stored for one week, so
print or save the “e-card” as soon as possible.

Hope you enjoy our “e-cards”! Spread the love and send one of our “e-cards”!

Brought to you by ‘greeting cards’ – a better way to greet!

If you happen to click on “Click_here_to_view_the_e-card, you’ll get sent to this site below (made to look like a legitimate greeting card site, but using stolen graphics), which tells you that your flash player is outdated.  If you install this fake flash player, you get two Haxdoor variants — really nasty stuff.  

Greetingcard_0000001

 

Greetingcard_0000002

We were able to access the website where the malware author is counting the installs done using this scam, and we see about 2,500 installs so far on this.  Maybe not a large number, but that’s 2,500 users who may be facing a very unpleasant time.

Alex Eckelberry