23 December 2007 13:27 GMT
Spoofed eCard site infecting victims with Cimuz
Or perhaps the more festive title “Jingle All the Way ( …to a Cimuz infection)” ?
Overnight SophosLabs identified a malicious eCard spam campaign that was spoofing the legitimate AmericanGreetings.com service. The spam messages used in the campaign enticed recipients into clicking on the embedded link to view their card.
![[eCard spam]](/images/sophoslabs-blog/2007/12/ag-cim1.png)
Anyone who clicked on the link would not see their eCard, but instead a message informing them that an additional ActiveX control is required to view it.
![[Spoofed eCard site]](/images/sophoslabs-blog/2007/12/ag-cim2.png)
Within the source of this page is the culprit - a malicious embedded object pointing a installation package hosted on the malicious domain.
![[Source for malicious object]](/images/sophoslabs-blog/2007/12/ag-cim3.png)
If the ActiveX control installation is authorised, the CAB package is retrieved and the file update.exe is extracted and executed (detection added as Troj/Cimuz-CS). This file proceeds to infect the victim with Cimuz.
flashupdate.exeis written to the temporary folder and executed- an attempt is made to connect to remote servers and download additional files
- at the time of writing, one of these files was available, and contained instructions of an additional URL to download from
Thankfully, the flashupdate.exe file is pro-actively detected as Mal/Cimuz-D:
![[Cimuz-D proactive detection]](/images/sophoslabs-blog/2007/12/ag-cim4.png)
The Cimuz family of Trojans is no stranger to this blog [1,2,3], but in recent months it has been pretty quiet. Clearly the group behind this latest attack are in need of a little financial top-up over the Christmas period. Don’t help them, follow the usual rules, especially over Christmas and New Year, when social engineering tricks may work that little too easily.
Fraser Howard, SophosLabs UK
