NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0233 New Storm Trojan variant comes disguised as an e-postcard:

A new round of greeting-card spam that draws users to visit attack sites relies on a sophisticated multi-pronged, multi-exploit attack to infect machines, according to an online press report citing a SANS alert. Captured samples of the unsolicited email bore the same subject line, "You've received a postcard from a family member!" The email contains links to a malicious web site, where Javascript dtermines whether the victim's browser has scripting enabled or turned off. If JavaScript is disabled, the site provides a link to a malicious file which users can download themselves, said the SANS alert. If JavaScript is enabled, the web site tries a trio of exploits, moving on to the second exploit if the machine is not vulnerable to the first, and on to the third if necessary. The first exploit is against a QuickTime vulnerability, the second is an attack on WinZip, and the third is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft patched last October. If the user is eventually tricked into downloading the Trojan, it connects to a malware hosting server which SANS says has been active since December 2006, and attempts to install software to tie the PC into a spam botnet. When SANS ran the malware through 30 different anti-virus programs, only a quarter of them reportedly tagged "ecard.exe" as a suspect download. Several antivirus vendors had tentatively pegged the executable file as a variation of the Storm Trojan.

(computerworld.com 28JUN07; www.theregister.co.uk 29JUN07)

Last Modified: Sunday, 22-Jul-2007 08:55:33 EDT