W32/Nuwar@MM: Its Raining Postcards!
Friday June 29, 2007 at 8:21 am CST
Posted by Vinoo Thomas
McAfee Avert Labs has observed a spurt in the number of spam emails that entice users into visiting sites hosting exploits that would result in a drive-by download. With administrators filtering executable attachments at the mail gateway and most email clients preventing a user from opening an executable attachment, virus authors are constantly improvising to stay ahead in the game.
Social engineering - the oldest trick in the book along with the fatal combination of human stupidity + curiosity provides ample fodder for virus authors to lure new victims ; the innumerable newbie users of the internet being the low hanging fruit.
The latest spam doing the rounds contains all the elements of this tried and tested plot. A user receives an email titled “You’re received a postcard from a family member!” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard. What greets the user on visiting the link is a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine. A copy of the spammed email with the malicious link sanitized is as follows:
Most internet users are ignorant of the fact that one can get infected just by merely visiting a malicious website - without any user intervention whatsoever. And to add to these woes, thousands of legitimate sites are being compromised and abused to infect unsuspecting users.
Each infected machine becomes a spam zombie - receiving content to spam via p2p protocol and relaying thousands of emails per minute. Displayed is a screenshot of an internal honeypot capture of an infected machine spewing spam. One can view tens of mails being sent by the second.
With the average home computer having better bandwidth and processing power these days, the volume of spam that can be generated by a network of compromised zombie machines can be mind boggling. McAfee Avert Labs users are protected against this threat at the gateway level by McAfee SpamKiller, Secure Internet Gateway, Secure Messaging Gateway, and at the desktop level by McAfee VirusScan products using the latest definitions.
June 30th, 2007 at 7:33 pm
The subject line has been morphing. I’ve seen:
You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partner!
You’ve received a greeting card from a school friend!
You’ve received a greeting card from a school mate!
You’ve received a greeting card from a school-mate!
You’ve received a greeting card from a worshipper!
You’ve received a greeting ecard from a admirer!
You’ve received a greeting ecard from a class mate!
You’ve received a greeting ecard from a class-mate!
You’ve received a greeting ecard from a colleague!
You’ve received a greeting ecard from a family member!
You’ve received a greeting ecard from a friend!
You’ve received a greeting ecard from a mate!
You’ve received a greeting ecard from a neighbor!
You’ve received a greeting ecard from a neighbour!
You’ve received a greeting ecard from a partner!
You’ve received a greeting ecard from a school friend!
You’ve received a greeting ecard from a school mate!
You’ve received a greeting ecard from a school-mate!
You’ve received a greeting ecard from a worshipper!
You’ve received a greeting postcard from a admirer!
You’ve received a greeting postcard from a class mate!
You’ve received a greeting postcard from a class-mate!
You’ve received a greeting postcard from a colleague!
You’ve received a greeting postcard from a family member!
You’ve received a greeting postcard from a friend!
You’ve received a greeting postcard from a mate!
You’ve received a greeting postcard from a neighbor!
You’ve received a greeting postcard from a neighbour!
You’ve received a greeting postcard from a partner!
You’ve received a greeting postcard from a school friend!
You’ve received a greeting postcard from a school mate!
You’ve received a greeting postcard from a school-mate!
You’ve received a greeting postcard from a worshipper!
You’ve received a postcard from a admirer!
You’ve received a postcard from a class mate!
You’ve received a postcard from a class-mate!
You’ve received a postcard from a colleague!
You’ve received a postcard from a family member!
You’ve received a postcard from a friend!
You’ve received a postcard from a mate!
You’ve received a postcard from a neighbor!
You’ve received a postcard from a neighbour!
You’ve received a postcard from a partner!
You’ve received a postcard from a school friend!
You’ve received a postcard from a school mate!
You’ve received a postcard from a school-mate!
You’ve received a postcard from a worshipper!
You’ve received an ecard from a admirer!
You’ve received an ecard from a class mate!
You’ve received an ecard from a class-mate!
You’ve received an ecard from a colleague!
You’ve received an ecard from a family member!
You’ve received an ecard from a friend!
You’ve received an ecard from a mate!
You’ve received an ecard from a neighbor!
You’ve received an ecard from a neighbour!
You’ve received an ecard from a partner!
You’ve received an ecard from a school friend!
You’ve received an ecard from a school mate!
You’ve received an ecard from a school-mate!
You’ve received an ecard from a worshipper!
July 3rd, 2007 at 1:28 pm
I am getting pretty comfused. I beleive a virus hit us (we are a library) on Friday. My boss recieved an email that said “You’ve recieved a virtual postcard from a family member” and she opened it and clicked the link. Next thing we know she is getting error messages saying that our virtual memory is too full and she should click a certain button to try to fix it. We got bombarded by Internet Explorer windows, over 65. Every time we would try to close the windows we got error messages “this program is not responding click ok to terminate the program,” followed by Error reporting requests. I finally did a firewall lockdown which seemed to stop the reproductions of Internet Explorer windows that kept opening up. Then I did a close group on the taskbar and got it all stopped but I can’t find anything out of place and the antivirus isn’t detecting anything so how do I fix this? I did a system restore to two days prior to the date infected and thought it was fixed until my boss told me that the computer is acting up when she tried to send an email and everything froze up on her. Do you or anyone reading this have any idea what I am dealing with? The only other computer we have that has McAfee has now been infected, I think this computer passed whatever the problem is to the other computer. Please help, we really need our computers.
July 4th, 2007 at 12:20 am
I am also receiving emails that I have inherit some money. Is this the same as this postcard mails?
July 5th, 2007 at 6:31 pm
Kena, find a local PC technician to have a look at your systems. They can very likely be cleaned and returned (mostly) to their prior state. It’s pretty important to educate the people that use these systems (as I’m sure you now know) what sorts of threats to look out for; the rule of thumb is: if you have any doubts whatsoever about a suspicious email or web site, delete or close it immediately.
July 7th, 2007 at 5:23 pm
I’m glad I searched Google and found this site being at the top of my search results! I’m not opening this thing and I feel sorry for those who are victimized by it. I almost opened it, thinking that it is going to a web page and that I was not opening a file that might have a virus in it.
Thanks again & I hope more people will find this site and not be victims! Thanks for being here!!!, Dave
July 7th, 2007 at 7:25 pm
I’ve received one with “bluemountain.com” in the “from” field.
July 9th, 2007 at 7:22 am
What if someone clicked on the first link? McAfee said it found a trojan virus and deleted it. But when I clicked on the more info on what it found, the message there said it couldn’t delete it because it was write protected. Yet I can’t find the file. I’ve updated McAfee to the latest DAT and reun it, and also ran Ad-Aware, Spybot and AVG and nothing is detected. How can I be sure it’s been deleted or not? I’m afraid it’s still there, as when I was loading AVG, the hard drive started going crazy. Any clues on what to look for would be appreciated.
July 10th, 2007 at 12:23 pm
Mine came with Hallmark.com as the supposed sender. Same headline
You’ve received an e card from a worshipper.
July 10th, 2007 at 7:40 pm
Mary, the exact thing happened to me. I stupidly opened the e-mail but clicked cancel at the download prompt. Then a Norton window popped up and said it had taken care of the virus. I don’t know if Norton actually did get rid of the virus or if that was part of the virus. Can someone please tell me how to find out if I am infected and if so, how I can get rid of the virus ASAP?
July 11th, 2007 at 2:51 am
You’ve received a greeting ecard from a School mate! This was the subject of the email i received and I was very apprehensive about opening and I searched in Google, well my suspensions did come true. To be honest I almost fell for this trick, these guys sending these mail are really clever. And for people who clicked on the link and fell victim, please be careful in future.
July 11th, 2007 at 5:37 am
I have this virus. My computer keeps rebooting and then sending out mass emails till it overloads itself. Where can I find a “fix” for this virus?
July 12th, 2007 at 5:08 am
So how do i get rid these these spam beside creating a Rule to block these messages?
July 13th, 2007 at 11:57 am
I received the one from worshipper… I have TrendMicro installed - and it saw the virus come in.. but it didn’t stop it completely. It affected my ie, and would crash it constantly. (some seem to be affected differently..???)
so, first trend micro did find the virus and kill it.. but I still had the ie crashing problem. I used XP’s system restore function.. and set my system to the day before I received the virus. And it worked! only wish I had thought of this sooner as I dealt with the crashing for almost 10 days!!!!!
Amazing part - I have probably received another 30 or so of these greeting card messages.. all pretending to be from different card sites - just like the others are mentioning. I never would have opened it in the first place if I had not received it from a site I (thought) I knew - and on my anniversary!
July 16th, 2007 at 11:38 am
I received a greeting card from a worshipper at work. It was the day of my birthday. Fortunately my anti-virus programme spotted that there was a virus attached. So, I was lucky!
July 24th, 2007 at 11:00 am
Have received many such phony greetings, AND also messages purportedly from McAfee VirusScan, e.g.:
McAfee VirusScan E-mail Scan has detected a potential threat in this e-mail sent by “funnypostcard.com” with the subject You’ve received a greeting ecard …!. This e-mail has been quarantined. We strongly recommend that you report this suspect activity.to “funnypostcard.com” .
SHOULD WE REPORT THE ACTIVITY TO THE SENDER AS DIRECTED????
July 24th, 2007 at 1:52 pm
I’ve been getting an e mail that says this in various forms and it is purportedly from McAfee
McAfee VirusScan E-mail Scan has detected a potential threat in this e-mail
sent by “mypostcards.com” with the subject
You’ve received a greeting ecard from a Family member!.
This e-mail has been quarantined.
We strongly recommend that you report this suspect activity.
to “mypostcards.com” .
July 24th, 2007 at 5:08 pm
Not sure, as it is sending message directly back to the sender.
July 26th, 2007 at 4:10 am
I recieved the email ” You recieved and ecard from a worshipper” and stupidly opened it to see the postcard. Now my computer has the virus and i need a solution to fix it and restore my computer to normal. Can someone please, get back to me ASAP and let me know what to do.
Thanks,
Ruth
August 4th, 2007 at 4:01 pm
I received the email, “123greetings.com You received an ecard from a family member.” I opened the email, but I was suspicious since no name was mentioned, so I did NOT open the card. I have not been having any problems, except that when I open my email account, I get a warning that some outsider may be trying to intercept the connection. I always choose to cancel the connection, but I am worried that someone may be reading my emails or stealing my files. I have cleaned my hard drive, but what can I do to make sure that my computer is safe and not infected?
August 27th, 2007 at 6:18 am
Thank you for letting me know but I still don’t know how to correct this problem.
September 6th, 2007 at 1:15 pm
i just received this email on the third of september. it was from mayer96@rseden.org and the title was
Your friend has sent you a card.
I didnt open it figuring it was this. thanks for letting me know!