Card.exe is not Brought to you by 123Christmas-Greetings!

Unfortunately, a handful of legitimate online greeting card sites continue to be spoofed as parts of the ongoing successful Waledac threat.
While it is similar to the Storm threat, the shameless ripoff of multiple greeting card sites are even more blatent than Storm’s crafted web sites in 2007. Here is a snapshot of one of the legitimate sites:

And here is an example message spammed out by the Waledac worm:
“Jeff has mailed a e-card.
Just click on the following Internet address:
hxxp://your regards.com/ ?ID=5b830b13b073c19cabc3a06878d
Brought to you by 123Christmas-Greetings!”

Spammed message here using the Christmasbuzz name:
“Thomas has sent an e-card.
Click on the following link or copy and paste the following link into your web
browser’s address bar: hxxp:// smart cardgreeting.com/ ?code=844e643ab7
(c) Christmasbuzz.com”

Legitimate Christmasbuzz site looks like this snapshot:

Another spammed message from the worm:
“Thomas sent you a ecard.
Click on the following link to see your Ecard:
hxxp://world greetingcard.com/ ?id=1025025ecd
Thanks for Using Card Fountain!”

And the corresponding legitimate Card Fountain web site here:

Do not randomly click on links emailed to you, as pointed out previously. Ecards and greetings can be a sore spot for a lot of users before and after the holiday seasons, but it can be nice to receive holiday wishes when they come from legitimate sites.
Also note that most of the legitimate sites provide users with flash movies and other animated cards, instead of the “card.exe” malcode.

Current malicious sites are serving exploit pages and “card.exe” at the following domains, do not visit them. Some were registered by the botherders earlier today, along with a slew of domains that are now hosting online canadian pharmacy sites:
The guys over at Shadowserver posted a writeup on the worm to close out 2008, and included a list of domains being used by the botherders at the time. The distributors continue to be active.

And why might this Storm copycat scheme come back in vogue? Spam, of course!
In addition to the links to malicious attacking sites being sent out (posted in the description above), holiday-themed, seasonal spam containing links to online Canadian pharmacies peddling viagra and “enhancement” drugs are being blasted by infected systems as well:

“Subject: When going on holiday take bluepills with you to ensure potence!
We have everything to make your love more passionate.
hxxp:// thank believe.com/”

“Be ready for spring love marathon! hxxp:// character effect.com/”

“Start enjoying your xxxlife! hxxp:// grew ten.com/”

“Subject: How intresting is your bedroom life?
Dont put your health at stake! hxxp:// what least.com/”

“Subject: Latest news from your doctor.
Our experts recommend! hxxp:// steam coast.com/”

It appears to be a fairly international spamming effort with DNS domains rapidly being registered in China and Latvia, exploit pages served in the U.S., and pharma sales coming out of Canada off of servers hosted in China.

This entry was posted in Online Fraud, The Law. Bookmark the permalink.

One Response to Card.exe is not Brought to you by 123Christmas-Greetings!

  1. Ryan Meray says:

    Card.exe is not a eCard, MP3Codec.exe is not a codec? What’s next, Adobe_flash9.exe isn’t Adobe Flash?

    I blame the success of malware like this on two things – The fact that up until a couple years ago, you could pretty much implicitly trust things served up by the internet, and not educating people about who it’s safe to download things from and who it isn’t.

    People need to realize that downloading a file could potentially be the same thing as handing a stranger the keys to your car or leaving your garage door open overnight. You might be able to get away with it and not get hosed, but you’re asking for trouble.

    When is the media going to start making a bigger deal out of the malware threat people face daily? My little Ferndale, MI computer repair company deals with this stuff day in and day out, and it’s effecting everyone from teenage Myspace junkies to old ladies looking at flower websites. And from where I’m sitting, it seems to be getting worse daily.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>