In this section

• Home
• Security
• SophosLabs blog
• 2007
• 06

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

30 June 2007 04:17 GMT

A not so friendly Ecard

SophosLabs analysts today encountered a new spam campaign that contains an embedded Trojan within the HTML message.

The original variant was first brought to our attention a few days ago and caught by SophosLabs analysts then. But today, different variants of the Trojan Troj/JSEcard-A, have been massively spammed out.

The Trojan message when run, silently performs a web download from a remote site to the file ecard.exe and appears in your browser in the following form as thus:

Naturally there is no new browser feature and clicking on the link results in the execution of the downloaded file. Sophos currently provides proactive detection of the downloaded file ecard.exe as Mal/Dorf-A.

This is another social engineering trick employed by malware authors to entice users into running their malware.

As for Troj/JSEcard-A, the embedded HTML contains encrypted code that is based on a XOR decryption routine with a specific key. In this instance, SophosLabs analysts have encountered different keys being used in variants forms for this particular malware.

To have an idea of how widespread this problem is, the picture below illustrates the sources (as indicated by the white thumbnails) of this particular spam campaign.

Ouch.

CheeHui, SophosLabs AU

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot