SophosLabs blog

Or perhaps the more festive title “Jingle All the Way ( …to a Cimuz infection)” ?

Overnight SophosLabs identified a malicious eCard spam campaign that was spoofing the legitimate AmericanGreetings.com service. The spam messages used in the campaign enticed recipients into clicking on the embedded link to view their card.

Anyone who clicked on the link would not see their eCard, but instead a message informing them that an additional ActiveX control is required to view it.

Within the source of this page is the culprit - a malicious embedded object pointing a installation package hosted on the malicious domain.

If the ActiveX control installation is authorised, the CAB package is retrieved and the file update.exe is extracted and executed (detection added as Troj/Cimuz-CS). This file proceeds to infect the victim with Cimuz.

• flashupdate.exe is written to the temporary folder and executed
• an attempt is made to connect to remote servers and download additional files
• at the time of writing, one of these files was available, and contained instructions of an additional URL to download from

Thankfully, the flashupdate.exe file is pro-actively detected as Mal/Cimuz-D:

The Cimuz family of Trojans is no stranger to this blog [1,2,3], but in recent months it has been pretty quiet. Clearly the group behind this latest attack are in need of a little financial top-up over the Christmas period. Don’t help them, follow the usual rules, especially over Christmas and New Year, when social engineering tricks may work that little too easily.

Posted on December 23rd, 2007 by Fraser Howard, SophosLabs UK
Filed under: Malware, Spam

                                         

Free virus scan - Download the Sophos Threat Detection Test

Related posts

• A not so friendly Ecard
• Another ecard twist
• Valentine’s Flash - Tainted Love
• Not another eCard
• 4th of July Ecard