Beware of email postcards (May 2007)

Beware of email postcards
May. 11th, 2007 5:04pm

I got the following in my email junk box from egreetings@egreetings.com...
You have just received a virtual postcard from a family member!
.
You can pick up your postcard at the following web address:
.
http://www2.postcards.org/?a91-valets-cloud-31337
Except instead of the link going to what it should have, it instead was to...
http://83.xxx.xxx.122/postcard.exe
(It was an IP, but I removed some of the numbers so there’s no way it can acidentally be used as a real link)
Whenever the URL shown isn’t the same that appears in the task bar (the grey area at the bottom left of the window) then it’s something bad.
I looked it up and this method is used by the NUWAR virus...
When executed, the NUWAR worm drops a copy of itself in the Windows system folder as WSERVICE.EXE. It creates autostart registry entries to enable its automatic execution at every system startup. It then proceeds to search the Windows Address Book for target recipients of its email messages, which it sends out using its own SMTP engine. It also terminates security-related applications. Based on these characteristics, NUWAR looks like your average mass-mailer....
This worm drops another copy of itself using a random file name with a .T extension. It also -- to use the term loosely -- "infects" .EXE and .SCR files found on the compromised machine by adding a code that allows the .T worm copy to execute automatically every time the infected files are run. Thus, every time an application is executed on the system, the worm copy is also executed.
Essentially, it serves as a backup for the other worm copy in the system folder, because should the said copy get removed from the system, the .T copy can still run without interference. This is true especially in cases where the antivirus application does not have the true file type scanning enabled. Since the .T copy does not use the usual file extension most malware normally use (e.g., .EXE), then antivirus applications may not detect this copy....
Incidentally, this worm also drops a Trojan downloader, and that fully explains the worm component’s main routine: to serve as a mere vehicle for more malicious routines.
Never, ever open or run an attachment that you don’t know where it came from.

Danny Carlton

Rare Disease Search Engine, Homeschool Sites, Online Homeschool, Online Income, Ethical Adsense, Creative writing, Family Web Hosting, Christian Radio, Tulsa Parks