You have received a card from a family member

Posted by on Friday, November 19th, 2010  |  27,587 views

Users have reported us some emails, related to postcards and Hallmark, that contain http links to download executable files with extension as .SCR (Screen Saver). Below there is an example of the email message we have received:

Hallmark

Extracted URLs:

hxxp://82.71.21.54 /postcard.scr
hxxp://212.43.82.11 /postcard.scr

File name: postcard-scr
File size: 1138594 bytes
MD5 hash: 83c4f02ee9cf83fcb6dfb1e4c4d94fca
SHA1 hash: be33a0e5f1008542b96e2342638bedd73b147ee7
Detection rate: 14 on 16 (88%)
Status: INFECTED

The malicious file postcard.scr, when executed, will install a copy of the popular IRC chat client named mIRC, with modified files, in a hidden directory located in the TEMP directory of C:\WINDOWS. The mIRC’s executable has no icon and other files have attributes set to +H (hidden):

C:\WINDOWS\Temp\spoolsv\

Hidden directory:

Hidden Folder

Dropped files:

Files

Windows firewall alert:

WF Alert

Users.ini and remote.ini files content:

Content

A.reg file content, used to write to Windows Registry:

Content

Run.bat file content:

Content

Posted by on Friday, November 19th, 2010 at 8:00 pm and filed under Security with tags , , , . Both comments and pings are currently closed.

Random Posts

Previous Posts

Comments are closed.