*You have a postcard* e-mails - been a while

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Haven't received any postcard/greeting card e-mails since November.
Got a few today from either hxxp://uhavepostcard.com/ or
hxxp://happycards2008.com/
Subject was Happy New Years, or some variant.

Both sited instructed you to download a file called happy-2008.exe

Submitted to VT in the AM:

Antivirus      Version      Last Update      Result
AhnLab-V3    2007.12.26.10    2007.12.26    -
AntiVir    7.6.0.46    2007.12.26    TR/Rootkit.Gen
Authentium    4.93.8    2007.12.26    -
Avast    4.7.1098.0    2007.12.26    Win32:Zhelatin-ASX
AVG    7.5.0.516    2007.12.25    -
BitDefender    7.2    2007.12.26
DeepScan:Generic.Malware.FMH@mmign.55A134E9
CAT-QuickHeal    9.00    2007.12.25    -
ClamAV    0.91.2    2007.12.26    Trojan.Zhelatin
DrWeb    4.44.0.09170    2007.12.26    Trojan.Spambot.2386
eSafe    7.0.15.0    2007.12.25    -
eTrust-Vet    31.3.5400    2007.12.24    -
Ewido    4.0    2007.12.26    -
FileAdvisor    1    2007.12.26    -
Fortinet    3.14.0.0    2007.12.26    -
F-Prot    4.4.2.54    2007.12.25    -
F-Secure    6.70.13030.0    2007.12.26    -
Ikarus    T3.1.1.15    2007.12.26    -
Kaspersky    7.0.0.125    2007.12.26    -
McAfee    5192    2007.12.24    -
Microsoft    1.3109    2007.12.26    Backdoor:WinNT/Nuwar.B!sys
NOD32v2    2747    2007.12.25    probably a variant of Win32/Fuclip
Norman    5.80.02    2007.12.26    -
Panda    9.0.0.4    2007.12.25    Suspicious file
Prevx1    V2    2007.12.26    Stormy:Worm-All Variants
Rising    20.24.21.00    2007.12.26    -
Sophos    4.24.0    2007.12.26    -
Sunbelt    2.2.907.0    2007.12.21    -
Symantec    10    2007.12.26    Trojan.Peacomm
TheHacker    6.2.9.168    2007.12.22    -
VBA32    3.12.2.5    2007.12.26    -
VirusBuster    4.3.26:9    2007.12.26    -
Webwasher-Gateway    6.6.2    2007.12.26    Trojan.Rootkit.Gen

Re: *You have a postcard* e-mails - been a while

Am Wed, 26 Dec 2007 19:46:48 -0800 schrieb Duh_OZ:

Quoted text here. Click to load it

But that's strange:
Quoted text here. Click to load it

It's strange, because at least they should know about it, since they
started blogging about that:
http://www.f-secure.com/weblog /

Gabriela

Re: *You have a postcard* e-mails - been a while


Quoted text here. Click to load it

Nice...I can't get either site to send me anything tho. If you still have
that file, I'd certainly like a copy. :)

--
Dustin Cook,  Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

Re: *You have a postcard* e-mails - been a while


Quoted text here. Click to load it

Dustin,

I dl'd the file "happynewyear2008.exe" from "uhavepostcard.com" about 1/2
hour ago and my Norton 12/26/07 did not pick it up nor did  SuperAntiSpyware
Core:3370  Trace:1365. I did not open it. I tried to send it to you, Dustin,
but your bughunter gmail addy didn't work.
However, I sent it to virustotal and here are the results:
AhnLab-V32007.12.29.112007.12.29-AntiVir7.6.0.462007.12.30TR/Crypt.XDR.Gen
Authentium4.93.82007.12.30W32/StormWorm.U
Avast4.7.1098.02007.12.30Win32:Zhelatin-ASX
AVG7.5.0.5162007.12.30Dropper.Generic.TNQ
BitDefender7.22007.12.30Trojan.Peed.IRM
CAT-QuickHeal9.002007.12.29-
ClamAV0.91.22007.12.30-DrWeb4.44.0.091702007.12.30Trojan.Spambot.2556
eSafe7.0.15.02007.12.27-
eTrust-Vet31.3.54122007.12.29-
Ewido4.02007.12.30-
FileAdvisor12007.12.30-
Fortinet3.14.0.02007.12.30W32/Tibs.G@mm
F-Prot4.4.2.542007.12.29-
F-Secure6.70.13030.02007.12.30Email-Worm:W32/Zhelatin.PS
IkarusT3.1.1.152007.12.30Trojan.Peed.IRM
Kaspersky7.0.0.1252007.12.30Email-Worm.Win32.Zhelatin.pv
McAfee51952007.12.28W32/Nuwar@MM
Microsoft1.31092007.12.30Backdoor:Win32/Nuwar.gen!A
NOD32v227572007.12.30Win32/Nuwar.BE
Norman5.80.022007.12.28-
Panda9.0.0.42007.12.30Suspicious file
Prevx1V22007.12.30Stormy:Worm-All Variants
Rising20.24.52.002007.12.29-
Sophos4.24.02007.12.30Mal/Dorf-H
Sunbelt2.2.907.02007.12.30-
Symantec102007.12.30Trojan.Peacomm.D
TheHacker6.2.9.1752007.12.29-
VBA323.12.2.52007.12.29-
VirusBuster4.3.26:92007.12.30Trojan.DL.Tibs.JO
Webwasher-Gateway6.6.22007.12.30Trojan.Crypt.XDR.Gen



Re: *You have a postcard* e-mails - been a while


Quoted text here. Click to load it

I appreciate your efforts, however, special care has to be taken when
emailing them to me or they will bounce. :( My site has specific
instructions.
--
Dustin Cook,  Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

Re: *You have a postcard* e-mails - been a while

Dustin Cook wrote:
Quoted text here. Click to load it

I use NSW Professional2003 and have just manually installed the latest def
dated 12/30/2007 and it does NOT recognize the "happynewyear2008.exe" file I
downloaded from "uhavepostcard.com". I had also tried it with the 12/26/2007
defs with no luck.
Why doesn't NSW2003Pro recognize it? Is the 'engine' not working?
I keep hearing that the Norton engine gets updated automatically with
LiveUpdate.
However, my AVG free does recognize it. ( I use a dual-boot system Win2000
with NSW and Win98SE with AVG Free).
No, I did not open it the .exe file.



Re: *You have a postcard* e-mails - been a while


Quoted text here. Click to load it

I'm sure they'll be adding detection for it soon.

Quoted text here. Click to load it

AVG's information is either more uptodate, or AVG lucked out and had a
better family signature than NSW is using.



--
Dustin Cook,  Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

Re: *You have a postcard* e-mails - been a while

Dustin Cook wrote:
Quoted text here. Click to load it


Well, the TotalVirus site says that Symantec did recognize it with its
30Dec07 defs, and also with its 26Dec07 defs.
So what I'm concerned about is if the NSW2003Pro engine is working or not.
Anyways, thanks for your response.  :)


Quoted text here. Click to load it



Re: *You have a postcard* e-mails - been a while

On this special day, Duh_OZ wrote:

Quoted text here. Click to load it

Update:

http://isc.sans.org/diary.html?storyid=3784

it is morphing...


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
ignorance can be fixed. stupidity is life-long.
(jshdude in alt.comp.anti-virus)



Site Timeline