Discovered: October 25, 2002
Updated: February 13, 2007 11:41:02 AM
Also Known As: Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [M, Friend Greeting application (I
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
The e-card has the following characteristics:
Subject: %recipient% you have an E-Card from %sender%.
Message:
Greetings!
%sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link
below.
http:/ /www.friendgreetings.com/pickup/pickup.aspx?<extra content removed>
Message:
------------------------------------------------------------
%recipient%
I sent you a greeting card. Please pick it up.
%sender%
------------------------------------------------------------
If you click the link, you are asked whether you want to download software so that you can view the e-card:
The installer package requires that you accept two End User License Agreements (EULA) to complete the installation. The following EULA explicitly states that, by accepting the agreement, you are authorizing the software to send an email to all the contacts in the Microsoft Outlook contact list.
- If you do not accept the agreement, the software is not installed, and an e-card is not sent.
- If you accept the agreement, the software is installed, and it sends the previously described e-card to all the contacts in the Microsoft Outlook contact list.
If you install this software, it does the following:
- Adds the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
explorer\Browser Helper Objects\{7011471D-3F74-498E-88E1-C0491200312D}
HKEY_LOCAL_MACHINE\Software\CLASSES\IEEvtCatcher.IEEvtCatcherObj.1
HKEY_LOCAL_MACHINE\Software\CLASSES\IEEvtCatcher.IEEvtCatcherObj
HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{3972ADCE-8737-45DE-A6E2-A253348E5A1E}
HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{059D8C85-A00F-40AF-8078-7692A0A79F19}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{7011471D-3F74-498E-88E1-C0491200312D}
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{7677C920-9CC3-4621-AF8C-AD45402DC2FD}
HKEY_LOCAL_MACHINE\Software\CLASSES\IEMsgSvr.IEMsgSvrObj
HKEY_LOCAL_MACHINE\Software\CLASSES\IEMsgSvr.IEMsgSvrObj.1
- Adds these values:
DisplayName WinSrv Reg
UninstallString C:\Program Files\Common Files\Media\UNINSTAL.EXE C:\Program Files\Common Files\Media\INSTALL.LOG WinSrv Reg Uninstall
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Uninstall\WinSrv Reg
PMedia C:\Program Files\Common Files\Media\winsrvc.exe
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- The installer also creates the following files:
- C:\Program Files\Common Files\Media\Install.log
- C:\Program Files\Common Files\Media\Otdock.dll
- C:\Program Files\Common Files\Media\Otglove.dll
- C:\Program Files\Common Files\Media\Otms.exe
- C:\Program Files\Common Files\Media\Otupdate.exe
- C:\Program Files\Common Files\Media\Uninstal.exe
- C:\Program Files\Common Files\Media\Winsrvc.dat
- C:\Program Files\Common Files\Media\Winsrvc.exe
- C:\Program Files\Common Files\Media\NewBinary2.exe
- C:\Program Files\Common Files\Media\NewBinary3.exe
- C:\Program Files\Common Files\Media\NewBinary4.exe
NewBinary4.exe contains the worm's mass-mailing routine that is performed via MAPI commands. First, it looks for a file named C:\Progra~1\Common~1\As.ini.
NewBinary4.exe performs its mass-mailing routine only if the file does not exist. After it performs the mass-mailing, it creates C:\Progra~1\Common~1\As.ini,
which is zero bytes in length.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
