View Full Version : Careful with Christmas.exe - IRCBot variant

2006-12-23, 20:10
Geez. Will it ever stop... 'guess not:

- http://www.f-secure.com/weblog/archives/archive-122006.html#00001057
December 23, 2006
"We've just received a sample of something that's called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net. As a decoy, it shows this Christmas-themed image... Obviously, a gift that keeps on giving. To be avoided."

(Screenshot at URL above.)

- http://isc.sans.org/diary.php?storyid=1968
Last Updated: 2006-12-23 21:11:30 UTC

:fear: :sad:

2006-12-24, 12:47

More Christmas-themed malware
- http://www.f-secure.com/weblog/index.html#00001058
December 24, 2006
"Unfortunately there seems to be more Christmas-related malware floating around. Now there's a backdoor called Christmas_Puzzle.exe. This one uses a rootkit to hide it's presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one shows a Christmas-themed jigsaw puzzle game on screen. And then there's a Powerpoint file called Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has been making rounds previously..."

(Screenshot at URL above.)

- http://isc.sans.org/diary.php?storyid=1970
Last Updated: 2006-12-24 08:21:00 UTC
"...Reliance on anti-virus software should -not- be too high. The powerpoint file above was detected badly at the time we got our copy of it..."


2006-12-29, 22:36

Happy New Warezov
- http://www.f-secure.com/weblog/archives/archive-122006.html#00001059
December 25, 2006
"A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise. The attachment is called postcard.zip and the text of the message says:
Hi, you’ve just received a postcard.
For: (your email address)
From: ---
Text: Happy New Year!
Click on attachment to view a postcard.
When run, the malware connects to www6. easeruikingandefunjs. com ( DO NOT VISIT) and downloads a Warezov variant. We detect this now as Trojan-Downloader.Win32.Small.edn."

- http://isc.sans.org/diary.php?storyid=1987
Last Updated: 2006-12-29 13:58:47 UTC
"..."postcard.exe" is currently being spammed in EMails with the subject "Happy New Year". AV coverage is still thin.
MD5: 4adf7a3719c485a4e482498874b6695f
> Update 1105UTC: AV protection coming online, Trojan-Downloader.Win32.Tibs.jy (Kaspersky), W32/Dref-U (Sophos) W32.Nuwar.AY (TrendMicro)."

- http://www.f-secure.com/weblog/archives/archive-122006.html#00001061
December 29, 2006


2006-12-30, 16:35

- http://isc.sans.org/diary.php?storyid=1988
Last Updated: 2006-12-30 14:56:55 UTC
"...Variants of the email containing the postcard.exe attachment as previously reported*. These variants may be changing the subject lines, but are definitely changing the executable name. Reported name variants are "greeting card.exe", "greeting postcard.exe" and "GreetingCard.exe"... Unable to independently validate whether or not this variation is now widespread and the AV sites don't seem to be mentioning it yet..."
* http://isc.sans.org/diary.php?storyid=1987

- http://isc.sans.org/diary.php?storyid=1988
Last Updated: 2006-12-30 16:59:04 UTC
"...Update 1655 UTC: Several respondants have confirmed... Known variations are as follows:
greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe

Subject lines appear to be changing with a much larger bank of possibilities. I anticipate AV vendors will begin to ducment this. A list was provided by reader Diego. This is a good start, but most likely partial:
Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year! ...

- http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006899&source=rss_topic85
December 29, 2006
"...In-boxes with the subject "Happy New Year!" The message, currently being spread from 160 e-mail domains, requires users to click on the attached "postcard.exe" file in order to cause damage. The file will install several different malicious code variants, including Tibs, Nwar, Banwarum and Glowa, on the computer. It then executes mass mailings from the infected computer. The worm is already being heavily spammed, VeriSign said. The security company has found one network that is sending out five e-mails per second with the worm... This is a new and largely undetected threat..."
- http://www.techweb.com/article/printableArticle.jhtml?articleID=196800036&site_section=


2007-01-02, 14:28

- http://www.f-secure.com/weblog/archives/archive-122006.html#00001065
December 31, 2006
"Massive amounts of fake New Year's greetings cards are being sent by Tibs.jy* (aka Luder). According to both our public and private virus statistic systems, the numbers are big enough..."
* http://www.f-secure.com/v-descs/luder_a.shtml

- http://www.f-secure.com/weblog/archives/archive-122006.html#00001063
December 30, 2006
"We're now seeing slightly modified versions of the Happy New Year postcard.exe attachments that were first spotted on Friday. This time the e-mail subjects vary a lot but are always themed around New Year greetings. For example, "Fun Filled New Year", "May Your Dreams Come True!", "Sparkling Happiness And Good Times!", or "Sender Happy 2007!". The attachment name is "greeting card.exe", "Greeting Postcard.exe", or something else along those lines. The attachments have been modified slightly to avoid detection by antivirus programs, but we detect them as Trojan-Downloader.Win32.Tibs.jy. There are also some corrupted attachments floating around: those might not be detected, but they won't work either..."

:fear: :spider: