E-Card is scam, spam & porn

Discussion in 'other security issues & news' started by Old_Sixteen, Oct 25, 2002.

Thread Status:
Not open for further replies.
  1. Old_Sixteen

    Old_Sixteen Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    17
    Please proceed with caution over the next few weeks when receiving an "E-Card"....
    This little gem will help itself to all the address in the PC of the unwary, to peddle it's trash.

    The spammers are now in the trojan business? (I have added this nasty (friendgreetings.com) to my restricted list. ) I can't believe no one has shut them down.

    Read all about it here:
    http://www.msnbc.com/news/826033.asp?0na=x223F6Z0-&cp1=1
    :mad: :mad: :mad:
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Quite so, Old Sixteen.

    Sophos alerted this way:

    "SOPHOS ADVISES ON UNWANTED "E-CARDS" FILLING EMAIL INBOXES

    It's not a virus, it's not a worm.. but it could be considered a nuisance


    Sophos technical support has received a significant number of calls from customers concerned about a widespread email which invites users to pick up an "E-Card" from a website called FriendGreetings.com.

    If users follow the link in the email, they are invited to install an ActiveX control onto their computer. An end-user license agreement (EULA) is displayed stating that by installing the application the user is giving permission to send a similar greeting card to all addresses found in
    the user's Outlook address book.

    Of course, many users will not read the EULA thoroughly and will simply give permission for the ActiveX control to be installed, thus allowing many unwanted emails to be sent.

    The emails arrive with the following characteristics:


    Subject:

    <Recipient name> you have an E-Card from <Sender name>

    Body:

    Greetings!

    <Sender name> has sent you an E-Card - a virtual postcard from
    FriendGreetings.com. You can pick up your E-Card at the
    FriendGreetings.com by clicking on the link below.

    <A url at wwx.friendgreetings.com is then displayed>

    Message:
    ----------------------------------------------------------
    <Recipient name>
    I sent you a greeting card. Please pick it up.
    <Sender name>
    ----------------------------------------------------------


    It should be noted that this is not a virus or a worm, and that the email has no attachment.

    Customers with web proxies who are concerned about users forwarding unwanted emails may like to consider blocking access to wwx.friendgreetings.com. The website is run by a Panamanian company called Permission Media, Inc. Companies who receive unwanted email as described
    above may wish to complain directly to Permission Media."

    regards.

    paul
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    HERE IS AN UPDATE

    ON LINE GREETING CARDS ARE" NOT" FOR YOU !

    If you get an email to pick up greeting cards you have TWO new exploits to consider. One is a trojan the other is a worm and if some of your friends fall for them and get infected....you will end up with email of the same variety..
    and on the second one your friend will have already given out your email address in the process.





    Troj/Ortyc.

    It opens windows pop-up of pornographic sites.

    This Trojan when executed,opens windows (pop-ups) towards pornographic sites. This happens while you uses the Internet Explorer to surf and happen practically any time you visit any site.. The "trigger" is a series of found key words in the visited site, which are compared with an own list, incorporated to the code of the trojan.

    The trojan can arrive at our PC in an electronic message that announces an electronic greeting card to us of saluting that somebody has sent to us.

    Name: Troj/Ortyc
    Type: Trojan horse
    Alias: Ortyc.Trojan, Cytron
    Date: 24/oct/02
    Size: 122.880 bytes
    Platform: Windows 32-bits



    (see here)


    http://www.dslreports.com/forum/remark,4830202~root=security,1~mode=flat




    __________________________




    Similar type exploit this one a worm that steals all the names from your address book.





    Name: FriendGreetings (Friendgr)
    Type: Worm of Internet
    Alias: Friend_Greeting@mm, Iworm.Friendgr, WORM_FRIENDGRT.A, Friendgreetings
    Date: 25/oct/02

    (see here)

    http://www.dslreports.com/forum/remark,4816374~root=security,1~mode=flat
     
  4. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi,

    Just to let everyone know friendgreetings.com is in the ie-spyad list for restricted sites. Boy do I like that.

    Loki :cool:
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    We had our first member come up with Troj/Ortyc. opens pop-up of pornographic sites on his system last night.
    Posting this link for all of us here to get some ideas how hard it seems to clean this one off. I think in the next week all the AV/AT house will have it down pat...some might be able to do it now...as we all know that cockpit error always comes into play when you are angry and want the bugger gone. But it was interestings. ;)





    Help!! This Cytron browser hijacker crap keeps

    http://www.dslreports.com/forum/remark,4842761~root=security,1~mode=flat
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    About Cytron/Burnaby/E-Card, here's some more info: http://and.doxdesk.com/parasite/Cytron.html

    We've been seeing a lot of it indeed.

    It installs the following Browser Helper Object {3750BFA3-1392-4AF3-AF86-9D2D4776E5A4}: potd.dll

    If you disable or delete that one, that should get rid of it.

    Cheers,
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Additionally, here's the E-Card ActiveX object, which needs to be deleted in Downloaded Program Files as well:

    [TargetingSource Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\potd.dll
    CODEBASE = http;//www.surprisecards.net/e-card_viewer.cab
     
Loading...
Thread Status:
Not open for further replies.