Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Xmas eCard Spam - Malicious Downloader

Created: 04 Dec 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:00 GMT
Jitender Sarda's picture
0 0 Votes
Login to vote

'Tis the season of exchanging greetings,what with Thanksgiving and Xmas rounding out the year's end.Unfortunately, malicious code writers are on the job trying to exploitthese occasions by sending out mass spam email greeting cards withattractive and fancy links that serve the purpose of downloadingmalicious files to a victim's computer.

These eCards are purportedly sent from a legitimate source and tryto lure the victim to click on the link to view the eCards, which haveunderlying tricks to try and infect the computer. With the Xmas bellsstarting to ring, here is the first incidence where Xmas ecards havestarted doing the rounds. The URL included in the eCards attempts todownload "sos385.tmp" file, which is a downloader.

In this particular sample below, the "From:" header alias isdisplaying an eCard from a well known company; however, it is of coursea spoofed header. The spammer has also deliberately inserted the text "(no worm , no virus)" inside the mail body to mislead the victim and entice them to click on the link.

Sample email:

To: [Removed]

Subject: This is my one-off Xmase-card for you ^_^ Very nice

From: ***** Ecard !!! XXXXX@*mail.com

Date: Sat, 17 Nov 2007 05:11:16 -0600

Reply-To:

Mail body:

http://uklotttery.us/?id=ecard << This is my one-off Xmase-card for you ^_^ Very nice

(no worm , no virus)

Please be aware of this and other suspicious emails that arecirculating. Do not open any links in emails that have been sent from asender that you do not know; in fact, it is often best if you don'teven open an email if you do not recognize the sender and are notexpecting the email in the first place.