Educause Security Discussion mailing list archives
Hallmark trojan
From: Dick Jacobson <Dick.Jacobson () NDUS NODAK EDU>
Date: Tue, 18 Nov 2008 10:54:47 -0600
We are getting hammered by a Hallmark trojan. This appears to be what McAfee calls Spam.Mailbot.i. However, McAfee does not pick it up so it could be a variant of that one. I am wondering if anyone else is seeing this ? And if you have a sure-fire way to detect and clean it ? The email I received is ----------------- Date: Mon, 17 Nov 2008 17:15:23 -0600 From: postcards () hallmark com To: copyright.abuse () ndus nodak edu Subject: You've received A Hallmark E-Card! Parts/Attachments: 1 Shown 5 lines Text (charset: Windows-1252) 2 343 KB Application ---------------------------------------- Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown You have recieved A Hallmark E-Card. Hello! You have recieved a Hallmark E-Card from your friend. To see it, check the attachment. There's something special about that E-Card feeling. We invite you to make a friend's day and send one. Hope to see you soon, Your friends at Hallmark Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy. Hallmark.com | Privacy & Security | Customer Service | Store Locator ------------- It has a postcard.zip attachment that carries the nasties. One of our campuses had this for remediation : - McAfee doesn't find any infected files for this, but AVG Free = find the infected files. - Wntfy.exe is the bad file that is located in C:\Windows\System32 - Process called wntfy.exe - Registry entries for wntfy Kill the wntfy.exe process, delete the file out of System32, and = search/delete all wntfy entries in the registry. Reboot. That same campus mentioned a kdll.exe file in the system32 directory and a registry entry that needed to be manually removed also. Another office said : The web site is http://www.avg.com/download-trial AVG Anti-Virus download, install, update dats and run Another said : The program that actually detected this for us was MalWareBytes. http://www.malwarebytes.com/ We are in the process of verifying that the clean was successful. The result is that none of these appear to completely clean the machine. Any thoughts ? ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : STTC 219 phone : 701-231-6280 <NEW phone number> -----------------------------------------------------------------------
Current thread:
- Hallmark trojan Dick Jacobson (Nov 18)
- <Possible follow-ups>
- Re: Hallmark trojan Ken Connelly (Nov 18)
- Re: Hallmark trojan Woodle, I Wesley (Wes) (Nov 18)
- Re: Hallmark trojan Daniel Bennett (Nov 18)
- Re: Hallmark trojan Joe St Sauver (Nov 18)
- Re: Hallmark trojan Sabo, Eric (Nov 18)