*You have a postcard* e-mails - been a while

[Duh_OZ]

Haven't received any postcard/greeting card e-mails since November.
Got a few today from either hxxp://uhavepostcard.com/ or hxxp://happycards2008.com/
Subject was Happy New Years, or some variant.

Both sited instructed you to download a file called happy-2008.exe

Submitted to VT in the AM:

Antivirus Version Last Update Result
AhnLab-V3 2007.12.26.10 2007.12.26 -
AntiVir 7.6.0.46 2007.12.26 TR/Rootkit.Gen
Authentium 4.93.8 2007.12.26 -
Avast 4.7.1098.0 2007.12.26 Win32:Zhelatin-ASX
AVG 7.5.0.516 2007.12.25 -
BitDefender 7.2 2007.12.26
DeepScan:[email protected]
CAT-QuickHeal 9.00 2007.12.25 -
ClamAV 0.91.2 2007.12.26 Trojan.Zhelatin
DrWeb 4.44.0.09170 2007.12.26 Trojan.Spambot.2386
eSafe 7.0.15.0 2007.12.25 -
eTrust-Vet 31.3.5400 2007.12.24 -
Ewido 4.0 2007.12.26 -
FileAdvisor 1 2007.12.26 -
Fortinet 3.14.0.0 2007.12.26 -
F-Prot 4.4.2.54 2007.12.25 -
F-Secure 6.70.13030.0 2007.12.26 -
Ikarus T3.1.1.15 2007.12.26 -
Kaspersky 7.0.0.125 2007.12.26 -
McAfee 5192 2007.12.24 -
Microsoft 1.3109 2007.12.26 Backdoor:WinNT/Nuwar.B!sys
NOD32v2 2747 2007.12.25 probably a variant of Win32/Fuclip
Norman 5.80.02 2007.12.26 -
Panda 9.0.0.4 2007.12.25 Suspicious file
Prevx1 V2 2007.12.26 Stormy:Worm-All Variants
Rising 20.24.21.00 2007.12.26 -
Sophos 4.24.0 2007.12.26 -
Sunbelt 2.2.907.0 2007.12.21 -
Symantec 10 2007.12.26 Trojan.Peacomm
TheHacker 6.2.9.168 2007.12.22 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.26 -
Webwasher-Gateway 6.6.2 2007.12.26 Trojan.Rootkit.Gen

 

[Gabriela Salvisberg]

Am Wed, 26 Dec 2007 19:46:48 -0800 schrieb Duh_OZ:

Haven't received any postcard/greeting card e-mails since November. Got
a few today from either hxxp://uhavepostcard.com/ or
hxxp://happycards2008.com/ Subject was Happy New Years, or some variant.

Both sited instructed you to download a file called happy-2008.exe

Submitted to VT in the AM:

But that's strange:

F-Secure 6.70.13030.0 2007.12.26 "-" ???

It's strange, because at least they should know about it, since they
started blogging about that:
http://www.f-secure.com/weblog/

Gabriela

 

[Dustin Cook]

Haven't received any postcard/greeting card e-mails since November.
Got a few today from either hxxp://uhavepostcard.com/ or
hxxp://happycards2008.com/ Subject was Happy New Years, or some
variant.

Both sited instructed you to download a file called happy-2008.exe

Nice...I can't get either site to send me anything tho. If you still have
that file, I'd certainly like a copy.

--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: (e-mail address removed)
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

 

[Gabriele Neukam]

Both sited instructed you to download a file called happy-2008.exe

Update:

http://isc.sans.org/diary.html?storyid=3784

it is morphing...


Gabriele Neukam

(e-mail address removed)

 

[Buffalo]

Nice...I can't get either site to send me anything tho. If you still have
that file, I'd certainly like a copy.

Dustin,

I dl'd the file "happynewyear2008.exe" from "uhavepostcard.com" about 1/2
hour ago and my Norton 12/26/07 did not pick it up nor did SuperAntiSpyware
Core:3370 Trace:1365. I did not open it. I tried to send it to you, Dustin,
but your bughunter gmail addy didn't work.
However, I sent it to virustotal and here are the results:
AhnLab-V32007.12.29.112007.12.29-AntiVir7.6.0.462007.12.30TR/Crypt.XDR.Gen
Authentium4.93.82007.12.30W32/StormWorm.U
Avast4.7.1098.02007.12.30Win32:Zhelatin-ASX
AVG7.5.0.5162007.12.30Dropper.Generic.TNQ
BitDefender7.22007.12.30Trojan.Peed.IRM
CAT-QuickHeal9.002007.12.29-
ClamAV0.91.22007.12.30-DrWeb4.44.0.091702007.12.30Trojan.Spambot.2556
eSafe7.0.15.02007.12.27-
eTrust-Vet31.3.54122007.12.29-
Ewido4.02007.12.30-
FileAdvisor12007.12.30-
Fortinet3.14.0.02007.12.30W32/Tibs.G@mm
F-Prot4.4.2.542007.12.29-
F-Secure6.70.13030.02007.12.30Email-Worm:W32/Zhelatin.PS
IkarusT3.1.1.152007.12.30Trojan.Peed.IRM
Kaspersky7.0.0.1252007.12.30Email-Worm.Win32.Zhelatin.pv
McAfee51952007.12.28W32/Nuwar@MM
Microsoft1.31092007.12.30Backdoor:Win32/Nuwar.gen!A
NOD32v227572007.12.30Win32/Nuwar.BE
Norman5.80.022007.12.28-
Panda9.0.0.42007.12.30Suspicious file
Prevx1V22007.12.30Stormy:Worm-All Variants
Rising20.24.52.002007.12.29-
Sophos4.24.02007.12.30Mal/Dorf-H
Sunbelt2.2.907.02007.12.30-
Symantec102007.12.30Trojan.Peacomm.D
TheHacker6.2.9.1752007.12.29-
VBA323.12.2.52007.12.29-
VirusBuster4.3.26:92007.12.30Trojan.DL.Tibs.JO
Webwasher-Gateway6.6.22007.12.30Trojan.Crypt.XDR.Gen

 

[Buffalo]

Nice...I can't get either site to send me anything tho. If you still
have that file, I'd certainly like a copy.

I use NSW Professional2003 and have just manually installed the latest def
dated 12/30/2007 and it does NOT recognize the "happynewyear2008.exe" file I
downloaded from "uhavepostcard.com". I had also tried it with the 12/26/2007
defs with no luck.
Why doesn't NSW2003Pro recognize it? Is the 'engine' not working?
I keep hearing that the Norton engine gets updated automatically with
LiveUpdate.
However, my AVG free does recognize it. ( I use a dual-boot system Win2000
with NSW and Win98SE with AVG Free).
No, I did not open it the .exe file.

 

[Dustin Cook]

I use NSW Professional2003 and have just manually installed the latest
def dated 12/30/2007 and it does NOT recognize the
"happynewyear2008.exe" file I downloaded from "uhavepostcard.com". I
had also tried it with the 12/26/2007 defs with no luck.

I'm sure they'll be adding detection for it soon.

However, my AVG free does recognize it. ( I use a dual-boot system
Win2000 with NSW and Win98SE with AVG Free).

AVG's information is either more uptodate, or AVG lucked out and had a
better family signature than NSW is using.



--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: (e-mail address removed)
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

 

[Dustin Cook]

Dustin,

I dl'd the file "happynewyear2008.exe" from "uhavepostcard.com" about
1/2 hour ago and my Norton 12/26/07 did not pick it up nor did
SuperAntiSpyware Core:3370 Trace:1365. I did not open it. I tried to
send it to you, Dustin, but your bughunter gmail addy didn't work.

I appreciate your efforts, however, special care has to be taken when
emailing them to me or they will bounce. My site has specific
instructions.
--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: (e-mail address removed)
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

 

[Buffalo]

I'm sure they'll be adding detection for it soon.

Well, the TotalVirus site says that Symantec did recognize it with its
30Dec07 defs, and also with its 26Dec07 defs.
So what I'm concerned about is if the NSW2003Pro engine is working or not.
Anyways, thanks for your response.

 

[Virus Guy]

I use NSW Professional2003 and have just manually installed
the latest def dated 12/30/2007 and it does NOT recognize
the "happynewyear2008.exe" file I downloaded from
"uhavepostcard.com". I had also tried it with the 12/26/2007
defs with no luck.

I've experienced variable detection success with NAV-2002 and the
various happy-this.exe or happy-that.exe files.

I've just downloaded the manual version of the Intelligent Updater and
installed it. It brought the definitions up to today's date (Dec 31,
1 am) and it can detect a few more of them, but not a very recent one
I downloaded within the past hour. However, Symantec (version 10) on
VT does detect it.

So I think that either there is a difference between Symantec
Anti-virus (Version 10) and Norton Anti-Virus, or that maybe the VT
site uses definition updates that are possibly updated every hour (in
the case of Symantec) and not available to the general public.

I keep hearing that the Norton engine gets updated
automatically with LiveUpdate.

I think that's still the case - but when it comes to these polymorphic
viruses, Norton/Symantec does not have a robust detection method and
must rely upon more basic information about the particular viral
files.

Or perhaps Symantec Corporate version is more "capable" than the
Norton version when the same updater package is applied to both.

By the way, when I visit those various sites, I'm not being prompted
to download the file - I have to click on the link to download them.
Is everyone else seeing that behavior?

I'm also not being prompted to run any active-x components either.
I'm thinking that the server is seeing my browser ID string and maybe
my OS type and is deciding not to actively send anything my way... ?

 

[Dustin Cook]

I've experienced variable detection success with NAV-2002 and the
various happy-this.exe or happy-that.exe files.

I've just downloaded the manual version of the Intelligent Updater and
installed it. It brought the definitions up to today's date (Dec 31,
1 am) and it can detect a few more of them, but not a very recent one
I downloaded within the past hour. However, Symantec (version 10) on
VT does detect it.

So I think that either there is a difference between Symantec
Anti-virus (Version 10) and Norton Anti-Virus, or that maybe the VT
site uses definition updates that are possibly updated every hour (in
the case of Symantec) and not available to the general public.


I think that's still the case - but when it comes to these polymorphic
viruses, Norton/Symantec does not have a robust detection method and
must rely upon more basic information about the particular viral
files.

They aren't viral, and aren't polymorphic on their own. Server side does
obfuscate them, but they're still trojans.. worms at best.

In this case tho, I haven't seen Storm morph into a real worm. It's still
trying to hijack system services. hehehe.

By the way, when I visit those various sites, I'm not being prompted
to download the file - I have to click on the link to download them.
Is everyone else seeing that behavior?

Lately, I've had to click the link too. They won't autosend to me. I
tried turning no script off to see if it made any difference and it
hasn't so far.

I'm also not being prompted to run any active-x components either.
I'm thinking that the server is seeing my browser ID string and maybe
my OS type and is deciding not to actively send anything my way... ?

Good possibility.




--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: (e-mail address removed)
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

 

[Duh_OZ]

Collection of URL's so far - forgot to note the file names associated
with each D'OH

hxxp://uhavepostcard.com/ 12/25/07
hxxp://happycards2008.com/ 12/26/07
hxxp://newyearcards2008.com/ 12/27/07
hxxp://newyearwithlove.com/ 12/28/07 - 12/29/07
hxxp://familypostcards2008.com/ 12/29/07 - 12/30/07
hxxp://freshcards2008.com/ 12/30/07
hxxp://happysantacards.com/ 12/31/07
hxxp://hellosanta2008.com/ 12/31/07
http://happy2008toyou.com/ 12/31/07

 

[ed]

Collection of URL's so far - forgot to note the file names associated
with each D'OH

hxxp://uhavepostcard.com/ 12/25/07
hxxp://happycards2008.com/ 12/26/07
hxxp://newyearcards2008.com/ 12/27/07
hxxp://newyearwithlove.com/ 12/28/07 - 12/29/07
hxxp://familypostcards2008.com/ 12/29/07 - 12/30/07
hxxp://freshcards2008.com/ 12/30/07
hxxp://happysantacards.com/ 12/31/07
hxxp://hellosanta2008.com/ 12/31/07
hxxp://happy2008toyou.com/ 12/31/07

last link is a valid http not hxxp.

 

[Ant]

Good possibility.

It's been the case before where what you get depends on the user-agent
string. They're not doing it in this campaign, nor are they packing
the executables.

 

[Buffalo]

I've experienced variable detection success with NAV-2002 and the
various happy-this.exe or happy-that.exe files.

I've just downloaded the manual version of the Intelligent Updater and
installed it. It brought the definitions up to today's date (Dec 31,
1 am) and it can detect a few more of them, but not a very recent one
I downloaded within the past hour. However, Symantec (version 10) on
VT does detect it.

So I think that either there is a difference between Symantec
Anti-virus (Version 10) and Norton Anti-Virus, or that maybe the VT
site uses definition updates that are possibly updated every hour (in
the case of Symantec) and not available to the general public.


I think that's still the case - but when it comes to these polymorphic
viruses, Norton/Symantec does not have a robust detection method and
must rely upon more basic information about the particular viral
files.

Or perhaps Symantec Corporate version is more "capable" than the
Norton version when the same updater package is applied to both.

By the way, when I visit those various sites, I'm not being prompted
to download the file - I have to click on the link to download them.
Is everyone else seeing that behavior?

I'm also not being prompted to run any active-x components either.
I'm thinking that the server is seeing my browser ID string and maybe
my OS type and is deciding not to actively send anything my way... ?

When I got the 01/02/2008 defs in my NSW2003Pro, it finally detected them.
VirusTotal says that the 12/25/2007 Symantec detected them, but my
12/30/2007 defs did not. I guess that Symantec must give different
preference to their Corporate defs and NSWpro defs.
It took aprox 8 days longer for NSW.
I am amazed that it took so long. Even my Free AVG detected them by
12/30/2007.