Re: Hallmark trojan

["Woodle, I Wesley (Wes)" <iwoodle () UTK EDU>]

If any of you have the attachment, would you please zip it up with basic
encryption and password protect it with the word "infected" and then email
it to me directly or submit it to the AVERT Labs web site so that we can
make sure they have created signatures to detect it?

Thanks.

--
I. W. Woodle [Wes]
University of Tennessee
Information Security Office
(865) 556-8898  iwoodle () tennessee edu





-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Tuesday, November 18, 2008 12:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Hallmark trojan

We've had a few (<100 so far) that have been identified by our e-mail
A/V engine and dropped.  A few with the same subject (probably with an
embedded URL, but no attachment) from several days ago were quarantined
as spam.

- ken

Dick Jacobson wrote:
> We are getting hammered by a Hallmark trojan.  This appears to be what
> McAfee calls Spam.Mailbot.i.  However, McAfee does not pick it up so
> it could be a variant of that one.
>
> I am wondering if anyone else is seeing this ?  And if you have a
> sure-fire way to detect and clean it ?
>
> The email I received is
> -----------------
> Date: Mon, 17 Nov 2008 17:15:23 -0600
> From: postcards () hallmark com
> To: copyright.abuse () ndus nodak edu
> Subject: You've received A Hallmark E-Card!
> Parts/Attachments:
>     1 Shown      5 lines  Text (charset: Windows-1252)
>     2          343 KB     Application
> ----------------------------------------
>
> Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown
>        You have recieved A Hallmark E-Card.
>
>   Hello!
>
> You have recieved a Hallmark E-Card from your friend.
>
> To see it, check the attachment.
>
> There's something special about that E-Card feeling. We invite you to
> make
> a friend's day and send one.
>
> Hope to see you soon,
> Your friends at Hallmark
>
> Your privacy is our priority. Click the "Privacy and Security" link at
> the
> bottom of this E-mail to view our policy.
>
> Hallmark.com | Privacy & Security | Customer Service | Store Locator
>
> -------------
>
> It has a postcard.zip attachment that carries the nasties.
>
> One of our campuses had this for remediation :
> -       McAfee doesn't find any infected files for this, but AVG Free =
>          find the infected files.
> -       Wntfy.exe is the bad file that is located in C:\Windows\System32
> -       Process called wntfy.exe
> -       Registry entries for wntfy
> Kill the wntfy.exe process, delete the file out of System32, and =
> search/delete all wntfy entries in the registry.  Reboot.
>
> That same campus mentioned a kdll.exe file in the system32 directory
> and a registry entry that needed to be manually removed also.
>
> Another office said :
> The web site is
> http://www.avg.com/download-trial
> AVG Anti-Virus
> download, install, update dats and run
>
>
> Another said :
> The program that actually detected this for us was MalWareBytes.
> http://www.malwarebytes.com/  We are in the process of verifying that
> the clean was successful.
>
>
> The result is that none of these appear to completely clean the
> machine. Any thoughts ?
>
> -----------------------------------------------------------------------
> Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu
> NDUS IT Security Officer    office : STTC 219
>         phone  : 701-231-6280 <NEW phone number>
> -----------------------------------------------------------------------

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Attachment: smime.p7s
Description: