Educause Security Discussion mailing list archives
Re: Hallmark trojan
From: "Woodle, I Wesley (Wes)" <iwoodle () UTK EDU>
Date: Tue, 18 Nov 2008 13:03:31 -0500
If any of you have the attachment, would you please zip it up with basic encryption and password protect it with the word "infected" and then email it to me directly or submit it to the AVERT Labs web site so that we can make sure they have created signatures to detect it? Thanks. -- I. W. Woodle [Wes] University of Tennessee Information Security Office (865) 556-8898 iwoodle () tennessee edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly Sent: Tuesday, November 18, 2008 12:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Hallmark trojan We've had a few (<100 so far) that have been identified by our e-mail A/V engine and dropped. A few with the same subject (probably with an embedded URL, but no attachment) from several days ago were quarantined as spam. - ken Dick Jacobson wrote:
We are getting hammered by a Hallmark trojan. This appears to be what McAfee calls Spam.Mailbot.i. However, McAfee does not pick it up so it could be a variant of that one. I am wondering if anyone else is seeing this ? And if you have a sure-fire way to detect and clean it ? The email I received is ----------------- Date: Mon, 17 Nov 2008 17:15:23 -0600 From: postcards () hallmark com To: copyright.abuse () ndus nodak edu Subject: You've received A Hallmark E-Card! Parts/Attachments: 1 Shown 5 lines Text (charset: Windows-1252) 2 343 KB Application ---------------------------------------- Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown You have recieved A Hallmark E-Card. Hello! You have recieved a Hallmark E-Card from your friend. To see it, check the attachment. There's something special about that E-Card feeling. We invite you to make a friend's day and send one. Hope to see you soon, Your friends at Hallmark Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy. Hallmark.com | Privacy & Security | Customer Service | Store Locator ------------- It has a postcard.zip attachment that carries the nasties. One of our campuses had this for remediation : - McAfee doesn't find any infected files for this, but AVG Free = find the infected files. - Wntfy.exe is the bad file that is located in C:\Windows\System32 - Process called wntfy.exe - Registry entries for wntfy Kill the wntfy.exe process, delete the file out of System32, and = search/delete all wntfy entries in the registry. Reboot. That same campus mentioned a kdll.exe file in the system32 directory and a registry entry that needed to be manually removed also. Another office said : The web site is http://www.avg.com/download-trial AVG Anti-Virus download, install, update dats and run Another said : The program that actually detected this for us was MalWareBytes. http://www.malwarebytes.com/ We are in the process of verifying that the clean was successful. The result is that none of these appear to completely clean the machine. Any thoughts ? ----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : STTC 219 phone : 701-231-6280 <NEW phone number> -----------------------------------------------------------------------
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Attachment:
smime.p7s
Description:
Current thread:
- Hallmark trojan Dick Jacobson (Nov 18)
- <Possible follow-ups>
- Re: Hallmark trojan Ken Connelly (Nov 18)
- Re: Hallmark trojan Woodle, I Wesley (Wes) (Nov 18)
- Re: Hallmark trojan Daniel Bennett (Nov 18)
- Re: Hallmark trojan Joe St Sauver (Nov 18)
- Re: Hallmark trojan Sabo, Eric (Nov 18)