Not-So-Fun Video Postcard

A variety of bulletin boards are being spammed with the message to visit mailfreepostcards.com (don't visit that domain!) for a fun video. However, when visiting that site, users are prompted to download an executable. Message board spam is nothing new, but what is different about this message board spam is the spam text is actually integrated into legitimate messages posted by real users.

Posters are infected with an updated version of Trojan.Mespam, which is downloaded by Trojan.Peacomm. This threat has the ability to watch all your network traffic via a layered service provider (LSP) and when it notices you posting to a bulletin board, it modifies your posting to include the spam text.

Trojan.Mespam can not only inject text into your outgoing forum posts, but also in Web mail provided by Tiscali, Earthlink, Comcast, Bellsouth, Gmail, Rambler, FastMail, Care2, mail.com, Hotmail, Yahoo, Lycos, AOL, and mail.ru. In addition, the updated threat still injects messages into outgoing instant messages for Gtalk, Yahoo Messenger, AIM, and ICQ.

The Trojan has the ability to update the message and the URL, so the actual URL will likely change soon—especially as soon as we are able to close down that domain. In the meantime, don't click on unrelated links in forum postings, email, or IM, and definitely avoid executing any files you receive from unsolicited links. If you notice that in your own email, forum postings, or IMs you are sending out odd additional text or URLs, you are likely infected. You can scan your machine using Symantec Security Check.