False 'HallMark' greeting cards spam a new threat?

[washmail]

I received what I believed to be one of those typical panic-creating 'warnings' that go around, claiming to warn recipients that emails titled "xxx" contain a virus that will destroy your hard drive's contents, and that such has been supposedly confirmed by respected anti-virus companies, Microsoft etc. as very dangerous, and that no current protection is available.

As is usual I deleted this 'warning' email without a second thought.

However today, a few days later, I received a number of such warned-about(?) emails titled "HallMark Greeting Card".

What was most strange about them is that I was unable to view any of the headers on my email control monitor 'MailWasher' - something not previously experienced. I've no idea how this has been achieved...

I sent the first one through to SpamCop to examine the headers, and later reported all of them.

Sure enough one of them contained an invalid reverse DNS, but the virus scan was clear despite there being a fairly large attachment to each called "postcard.zip".

At this stage this is not on my Service Provider's blocklist(s) (which they are using is unknown). My SP appears to use excellent blocklist(s) as I encounter almost no false positives or false negatives.

So far the SPs from whom the emails originate are all South African, so this may not (yet) be of international concern.

Not surprisingly the SP involved with hallmark[dot]com is refusing any related SC reports.

Is it possible that this is a real new threat, and that there is any truth in the warning received? I doubt it, but thought it would be interesting to share this experience and to learn from any feedback.

To view: http://www.spamcop.net/sc?id=z2087717778zf...9560e6fa571eb3z

[rconner]

Is it possible that this is a real new threat, and that there is any truth in the warning received? I doubt it, but thought it would be interesting to share this experience and to learn from any feedback.

Clearly it ain't friendly, since the header appears to have been forged (bad HELO), and most what would have been links to Hallmark in the body have been suppressed. I doubt that Hallmark (or any other legit outfit) would want to send ZIPped attachments, either; the preferred procedure would be to direct you to a web URL to see the card. The ZIP got truncated, I imagine, so I could not decode it to take a look.

Certainly this is a threat, probably a real one, although hard to say whether it might be "new." I'd guess some good old-fashioned botnet recruitment.

-- rick

[DavidT]

I received what I believed to be one of those typical panic-creating 'warnings' that go around, claiming to warn recipients that emails titled "xxx" contain a virus that will destroy your hard drive's contents, and that such has been supposedly confirmed by respected anti-virus companies, Microsoft etc. as very dangerous, and that no current protection is available.

Stupid people are indeed forwarding an old warning around to that effect. It's the one seen near the bottom of the following Snopes page:

http://www.snopes.com/computer/virus/postcard.asp

There was a kernel of truth to the original concern, but that all happened over a year ago, and those particilar messages subsided. The bogus warning emails, however, and making the rounds again, and in some ways are worse than spam, so please tell the idiot who sent it to you to cease and desist, and to "un-notify" all the people they screamed "FIRE!" to...that's what I usually do (I used to do a "Reply to all" myself, but that puts my address out in too many places).

DT

[Farelf]

A zip attachment from a bogus source is surely intended to do something other than its stated purpose. As Ric said, the file is damaged - http://www.virustotal.com/analisis/f07e8d2...a072f06d875b15b - analysis is therefore inconclusive.

The "Chicken Little" warnings (forever being recycled by the sad and and the lonely) have nothing to do with it and VirusTotal, though far from infallible, will usually indicate if there is malice in the mail. Sure, there are always new viral varieties that may elude any given AV product for a while - but a 'gang' of 34 different ones (currently) is hard to fool except, momentarily, at the very leading edge of promulgation and at the utmost limit of virus technology.

Incidentally, although uploading the file attachment there (to VT) is the best source for virus scanning, a text file with even just the SC "View entire message" content will often be good enough - the various scan engines seem to work text files slightly better with at least the surrounding mime declarations than they do with just the bare text of the attachment part. Not everyone is happy with saving a suspect attachment for analysis - in which case the perfectly safe decode (text) is often/usually good enough.

At the end of the day these infection ploys via spam are almost totally ineffectual against anyone who doesn't habitually open the attachment or follow the link. So much for "no protection available" (well, sure, I pre-suppose a functioning brain but ...)

[washmail]

I thought of offering a copy of such an email at a temporary box, but some 'fun-loving' idiot visiting these shores would probably delete it or do who knows what.

If it's not objected to, I plan to later add the full header concerned to this thread (that's if I receive another example, can find a way to view the header, and if it's not too long for my technical options).

Or does someone have another idea for capturing it and passing it on complete? (I won't download it.)

In the meantime I've asked the author of MailWasher to investigate the associated view-header problem.

The bogus warning emails, however, and making the rounds again, and in some ways are worse than spam, so please tell the idiot who sent it to you to cease and desist, and to "un-notify" all the people they screamed "FIRE!" to...that's what I usually do (I used to do a "Reply to all" myself, but that puts my address out in too many places).

Unfortunately in my experience most of these "Chicken Little" type participants never seem to learn anything from feedback, and as they're usually clients, I'd rather not rock the income boat.

[DavidT]

If you get full headers, don't post them intact...rather, run them through the SpamCop reporting parser, copy the Tracking URL from the top, and post that here. This procedure is described in the FAQ here.

DT

[washmail]

If you get full headers, don't post them intact...rather, run them through the SpamCop reporting parser, copy the Tracking URL from the top, and post that here. This procedure is described in the FAQ here.

That's what I did originally, but the parser always truncates larger emails - unless there's a way to prevent that, the zip cannot be of use to anyone here.

I thought I could try fudging the header myself, but leave the body intact. I presume doing so is considered too long & messy for the forums.

So unless there's another way I will post it on a page at one of my domains and supply a (broken) link. That's if I find a way to get it properly....

In the meantime, we've had some feedback from colleagues who are now also concerned by the same situation. As both the 'warning' and the spam are definately making their rounds locally, I think the spammer may have seen the same 'warning' and decided to play with the idea.

We're suggesting that the warning at least is almost certainly false.

[Miss Betsy]

I am not sure if applies here or not, but if someone had opened the warning and clicked on the link (or whatever), that might have opened up their address book to the virus which then sends the virus to all those in the address book. IOW, the 'warning' is the initial point of entry for the virus. Naturally, those who have received the warning will most probably be in the address books of the one(s) who took it seriously.

Miss Betsy

[Farelf]

...That's what I did originally, but the parser always truncates larger emails - unless there's a way to prevent that, the zip cannot be of use to anyone here. ...

The parser truncates at 50k which should be enough to capture most zipped trojan downloaders. The example you posted was ~ 39k and didn't carry the "Truncated by SpamCop" ending so something else "got" to that one.

[washmail]

I am not sure if applies here or not, but if someone had opened the warning and clicked on the link (or whatever), that might have opened up their address book to the virus which then sends the virus to all those in the address book. IOW, the 'warning' is the initial point of entry for the virus. Naturally, those who have received the warning will most probably be in the address books of the one(s) who took it seriously.

Miss Betsy

No, not in this case.

Fortunately MailWasher has a 'Recycle Bin' feature; here's the text from the recovered email:

Subject: Fwd: Big Virus on its way

Just beware!

Freda

Send to everyone you know. This has been validated on snopes, =

check it out for yourself. It will DESTROY your computer. Tell the kids =

and grandkids too!!!

Please read the message below. It may save your computer!

Subject: FW: SNOPES HAS CONFIRM - BIG VIRUS COMING !!! PLEASE READ =

& FORWARD !!!

=20

=20

(http://www .snopes.com/computer/virus/postcard.asp)

Hi All,

I checked with Norton Anti-Virus, and they are gearing up for =

this virus!

I checked Snopes (URL above:), and it is for real!!

Get this E-mail message sent around to your contacts ASAP.

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!

You should be alert during the next few days. Do not open any =

message with an attachment entitled=20

'POSTCARD FROM HALLMARK,' regardless of who sent it to you. It is =

a virus which opens=20

A POSTCARD IMAGE, which 'burns' the whole hard disc C of your =

computer. This virus will be=20

received from someone who has your e-mail address in his/her =

contact list. This is the reason why you

need to send this e-mail to all your contacts. It is better to =

receive this message 25 times than to receive=20

the virus and open it.

If you receive a mail called' POSTCARD,' even though sent to =

you by a friend, do not open it!=20

Shut down your computer immediately. This is the worst virus =

announced by CNN. =20

It has been classified by Microsoft as the most destructive virus =

ever. This virus was discovered by

McAfee yesterday, and there is no repair yet for this kind of =

virus. This virus simply

destroys the Zero Sector of the Hard Disc, where the vital =

information is kept.

COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS. REMEMBER: IF YOU =

SEND IT TO

THEM, YOU WILL BENEFIT ALL OF US

Snopes lists all the names it could come in. =20

[DavidT]

here's the text from the recovered email

Uh...that's the text from the bottom of the Snopes page, referred to in the email, and in my previous post:

http://www.snopes.com/computer/virus/postcard.asp

It's not a virus....there were some infections a year ago, but this is just stupid forwarding by stupid people. Move along...nothing to see here. ;-)

DT

[washmail]

The parser truncates at 50k which should be enough to capture most zipped trojan downloaders. The example you posted was ~ 39k and didn't carry the "Truncated by SpamCop" ending so something else "got" to that one.

Ok, that seems to be the answer. Although MailWasher doesn't appear to have a Kb limitation, it only allows the first 800 lines to be viewed, and that must also apply to its SC reporting feature (they were mostly short lines).

So I will need to find another way to view a new example safely without MailWasher (the Recycle Bin feature also truncates), and hope that it's not larger than 50Kb.

But DavidT is probably right - it's unlikely to be anything worth the time...

[washmail]

I decided I was probably well enough protected to download a specimen, so did so on one of my less vital pcs.

Contrary to previous results, my AV reported the following;

Viruses found in the attached files.

The file postcard.zip: Trojan horse SpamTool.BZL. The attachment was moved to the virus vault.

It's probably the same / similar content as the first example, but of course couldn't be properly examined by the SC AV due to the truncation.

This specimen can be examined (without attachment) at:

http://www.spamcop.net/sc?id=z2106980622z4...79e8108d8f1de6z

[DavidT]

Thanks for the sample. This isn't spam IMO (although it's reportable), but rather just the kind of infected emails described correctly on the Snopes page, yet very incorrectly in the bogus warning messages. Your sample seems to have come from an infected computer in South Africa, where there are likely some rather old computers without proper protection, so what was happening a year ago in more technologically advanced places is happening a bit later there. (on edit: after some Googling, I see that there is indeed what appears to be a cyclical recurrence of last year's infected e-cards)

Those of us who have SpamCop email accounts never receive infected emails, because they are all deleted by the system before hitting our mailboxes, but I did see some of those messages a year ago where I work.

DT

[GLA]

This is the result of uploading my first Hallmark message (there have been about 10 more since) to Virscan.org:

http://virscan.org/report/6966c5eec7e65f23...9a9324ed49.html

Most scanning systems they submitted it to didn't find a problem. Three did (Trend Micro, Ikarus, and Avasti) but without agreement on what was found.

Two found a virus:

Win32.Delf.KXC [DRP]

VirTool Win32.Delfinject.AA

One found a worm:

WORM_NUCAR.AXQ

The source seems to be described as an open proxy on a lightship.com account:

Processing spam: From: postcards[at]hallmark.com

Subject: You've received A Hallmark E-Card!

<snip>

Received: from hallmark.com ([72.8.32.130]) by mx-jacana.atl.sa.earthlink.net

<snip>

72.8.32.130 found

host 72.8.32.130 (getting name) = static-72-8-32-130.roc.onecommunications.net.

static-72-8-32-130.roc.onecommunications.net is 72.8.32.130

Possible spammer: 72.8.32.130

Possible relay: 207.69.195.26

207.69.195.26 has already been sent to relay testers

Received line accepted

Tracking message source:72.8.32.130: Cached whois for 72.8.32.130 : abuse[at]lightship.net

Using abuse net on abuse[at]lightship.net

abuse net lightship.net = abuse[at]lightship.com

Using best contacts abuse[at]lightship.com

Message is 10 hours old

72.8.32.130 not listed in dnsbl.njabl.org

72.8.32.130 not listed in dnsbl.njabl.org

72.8.32.130 listed in cbl.abuseat.org ( 127.0.0.2 )

72.8.32.130 is an open proxy

The only thing for sure is that abuse[at]lighship.net hasn't shut this down yet.

Perhaps I will now add in the comments section in future reports that message contains a virus.

[Farelf]

...Perhaps I will now add in the comments section in future reports that message contains a virus.

Yeah, I usually do that too (on the rare occasion I get one). In some circumstances it could make a difference. In Australia, the 'code of conduct' which supposedly governs ISPs says that when they're aware of an infected machine (as in botnet component sending this stuff to you and me) they are obliged to help the owner clean it up. Of course they don't (much cheaper just to block regular email accounts and then cite blocked submissions - such as to SC - to 'prove' they're preventing spam promulgation - actually proves morons rule, but I digress). But, it puts the evidence before them and non-compliance is their hazard. The penalty for which was a slap on the wrist with a wet tram ticket last heard, but again I digress (gotta stop that).

But yes, puts the onus back into an appropriate field of play whether or not there are formal requirements for them to react and these are viruses not detected by the systems through which they are sent so that is important. Sending samples to viruscan, virustotal, whatever, is good too - alerts other AVs about the signatures of new/current varieties.