Kill the messenger? In this case, yes.

A round of “hallmark.exe” files are being downloaded and run by some of our community. Some pop images of pleasant scenes like strangely named “xmas.jpg”, which doesn’t look much like xmas anywhere to me:

In the background, however, this hallmark greeting is unpleasantly dropping and installing multiple IRCbot components. It copies out what looks like a common windows system file “spoolsv.exe” to windowstempspoolsv, but it really is a common IRC application. Multiple other configuration files are copied out so that the application connects back to the common IRC port 6667 on a number of undernet.org and servebeer.com sites for further instruction.

On its own, the mIRC application provides plenty of legitimate uses. But when packaged up and performing unexpected actions, this app can be severely misused.

As always, stay wary of links that are sent to you via email.

Note: these types of emails are arriving with varying flavors. This one is definitely related to the recent 4th of July “july.exe” IRCbot variants that were sent out and mistakenly associated with the Storm gang by some of the research community.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>