Saturday, November 22, 2008

eCard worm: The new batch!

After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the From header is spoofed):




This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a SFX file, following screenshot shows files bundled in the dropper:



When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers 89.46.165.197 (whois) and 210.51.167.75 (whois). An automated analysis of this malware is avilable at ThreatExpert.

1 Comments:

Anonymous Anonymous said...

Here are some tips for "safe ecard practices".

3:39 PM  

Post a Comment

<< Home