|
Description:
This variant of WORM_FRIENDGRT.A is a "Friend Greetings" application that sends out invitation email to addresses in the infected user's Microsoft Outlook address book. The email does NOT contain a copy of this worm. Instead, it contains a URL link that, when clicked, downloads and executes this worm on the recipient machine.
Trend Micro antivirus does not detect the email that this worm sends out, since this email does not contain a copy of this worm or any other malware file. Rather, Trend Micro antivirus detects the file that is downloaded when the message URL is clicked.
As of this writing, this worm sends email with varying subjects and message bodies. The following is a list of subjects found on email sent by this worm:
- <Recipient> you have an E-Card from <Sender>
- <Recipient> you have a greeting card from <Sender>.
- <Recipient>, you have a funny card from <Sender>
- <Recipient> you recently received a postcard sent by <Sender>
- <Recipient> you just received a postcard from <Sender>
- just emailed you a postcard -- <Sender>
- just posted you a postcard - <Sender>
- <Recipient> you have received a postcard sent by <Sender>
- <Sender> today sent to you a postcard :<Recipient>
This worm sends email messages with content similar to the following:
<Recipient>,
<Sender> has sent you a greeting card -- a postcard from
Friend-Greetings.com. You can pickup your greeting
card at Friend-Greetings.com by clicking on the link
below.
http://www.friend-greeting.com/203746/pickup.html?
code=<blocked>&id=0811025
Message:
------------------------------------------------------------
<Recipient>
I just sent you a greeting card - please pick it up.
<Sender>
------------------------------------------------------------
Other email samples have the following structures:
<Recipient>,
<Sender> has created a funny card for you at Laugh-Mail.com, a
web site where you
can create fun cards for your friends.
View it here:
http://www.Laugh-
Mail.com/203746/2/pickup.html?code=<blocked>,&id
=1311024
Message;
+++++++++++++++++++++++++++
<Recipient>,
This card was really funny. I hope you enjoy it.
+++++++++++++++++++++++++++
<http://65.240.226.240/505320/f.gif>
<Recipient>,
<Sender> recently sent you a card.
Read your e-card by going here:
http://www.Friend-Cards.com/pickup.aspx?code=<blocked> &id=0412022
Note;
<Recipient>,
Go get the ecard just emailed.
The string <http://65.240.226.240/505320/f.gif> appears as an image on certain email clients.
Once a recipient clicks the URL on this message, he or she is prompted for the installation of this worm program. And as soon as this installation concludes, this worm immediately spams another set of recipients.
This worm sends out messages that contain links under the following domains:
- http://www.friend-greeting.com
- http://www.friend-greetings.com
- http://www.friend-greeting.net
- http://www.friend-greetings.net
- http://www.friend-card.com
- http://www.friend-cards.com
- http://www.friend-cards.net
- http://www.friendgreeting.com
- http://www.friendgreetings.com
- http://www.friendgreeting.net
- http://www.friendgreetings.net
- http://www.laugh-mail.com
- 65.240.226.240
- 65.240.226.241
- 207.21.232.104
For additional information about this threat, see:
Solution
Technical Details
Description created: Nov. 8, 2002 1:45:58 AM GMT -0800
Description updated: Nov. 8, 2002 2:45:58 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
