Postcard.exe – be aware!

Malicious messages including only executable attachment postcard.exe is being spammed to recipients waiting the celebration of the New Year.

There is no message body at all when the Subject is: Happy New Year!

The sender address is spoofed – as expected.

The following AV writeups have been released (vendors in alphabetical order):

Downloader.Tibs (AVG/Grisoft)
Win32.Worm.Luder.B (BitDefender)
Win32/Luder.I (CA)
Trojan.Downloader-388 (ClamAV)
W32/Tibs.RA (F-Prot)
Luder.A / Trojan-Downloader.Win32.Tibs.jy (F-Secure)
Trojan-Downloader.Win32.Tibs.jy (Kaspersky)
W32/Nuwar@MM (McAfee)
-> drops Downloader-ARL
W32/Dref-U (Sophos)
-> drops Troj/Dloadr-ANE
W32.Mixor.Q@mm (Symantec)
-> drops Trojan.Galapoper.A
W32.Nuwar.AY (Trend Micro)
-> drops TROJ_TIBS.PE
Email-Worm.Win32.Luder.a (unknown vendor)

Kaspersky Lab has added detection on Thursday 28th Dec and several sources report about massive spam campaigns.

The size of the .exe varies but the subject line is always same. Maybe no need to mention that this malware tries to terminate the processes of several AV and firewall utilities.

SANS ISC has informed that there is a protection outside of AV products too:
bleedingthreats.net/index.php/2006/12/29/new-postcardexe-style-outbreak/

Update 30th Dec: Added information about Downloader-ARL, Troj/Dloadr-ANE and TROJ_TIBS.PE
Update #2: Added W32.Mixor.Q@mm hyperlink and information about Trojan.Galapoper.A
Update 31th Dec: New variants are out and the AV coverage is remarkable poor. The new variants use several different subject lines and attachments Greeting Card.exe or Greeting Postcard.exe
3rd Jan ’07: Added information about Win32/Luder.I

Share
  • Josh

    Well i got this same message. It’s subject was “internet love” and when i went to download this attachment, AVG picked it up immediately. The funny thing it i got it on my Yahoo! email address and they have a Virus Attachment scanner powered by Norton antivirus. Well Norton didn’t catch this one and i was able to download but avg caught it in seconds. I think that’s pretty funny. Not to mention the fact that i’m working on getting specs on this email so i can report this guy to his ISP

  • http://www.ChicagoCEG.com Bk4293

    Same thing here, McAfee caught it in outlook, So I decided to play and see if Yahoos Virus scanner was up to par…Well Yahoo was going to let me download it!!!

  • http://purplehill.net Supernaturalist

    For me, my subject was “postcard” and McAfee DIDN’T block it, but I wasn’t stupid enough to run the program.

  • http://davidsterry.com David Sterry

    I got this in the form of an email allegedly from egreetings.com and from “a family member”. Sounded like a scam when I saw it on my palm and confirmed that once I saw the ip address in the href in thunderbird.

  • http://networksecurity.typepad.com/ Juha-Matti

    It is interesting that McAfee didn’t block it in February 2007. Supernaturalist, are you talking about the e-mail received recently?

  • http://artcoder.blogspot.com artcoder

    I received a spam email. But it the postcard.exe was not as an attachment. (I guess people have figured out not to click on attachments.) Instead, when I do a view source on the email, I see that the postcard.exe was in the “href” of an anchor tag of a spoofed link.

  • Demosthenes

    ZoneAlarm 7 found this in a ‘system restore’ folder and an emule downloaded installer and under emule program directory for ‘link creator’.

    Could this have been transferred through emule? I run emule using a direct PPPoE link as it will not work through my modem firewall, perhaps this exposed my system?

    I have noticed a few viruses come through emule files although of course I never click on executables in downloaded files from file sharing clients.

  • Zandus

    Just got a one call “Your Friend and Lover”, but AVG killed it before it got on my system.

  • Tristis

    I have just received two of these attachments, one under the subject heading, “Special Romance,” and another under the subject heading, “You’re My Dream,” neither of which I opened. Any woman sending me an email telling me I’m her dream certainly isn’t mine.

    I googled “postcard.exe” before opening since the second came as a “flash_postcard.exe.” Getting one is suspicious, but two just about kills any thoughts of romance. ;)

  • Kris Heidenstrom

    Like David Sterry I got an email claiming to be from Hallmark (with inline images from hallmark.com) with a link to a file called postcard.exe on a site identified only by its IP address.

  • http://home.comcast.net/~ifcj/Israel.html Stephen

    I got the same Hallmark e-mail as Kris Heidenstrom.
    The “Click Here” link pulls up a RUN / Download box from a Linux Server running the Postcard.exe file.
    It is there to interfere with orderly business on the Internet as I see the case.

  • John

    I got an email telling me I had an ecard from egreetings.com from “a colleague” and the “click here” link didn’t say egreetings.com, only had an IP.

  • http://myboringlife.com webcam girls

    i just got one from egreetings.com and the link doesn’t look like a .exe until you mouse-over the link and then you can see it.

    Subject: Notification from eGreetings.com

    X-Eon-Antispam: 2.0 2.5.2 2007.11.21.184825 64

    Sender:

  • Alexandru Fira

    I decided to turn away from such problems. I am using Linux

  • Reece

    This virus is part of a .zip included in a hoax email claiming to be from Hallmark. Most commonly stating you have received an E-Card.
    Symantec Corporate picks up the contained files in the zip but not the zip itself.
    If it gets through it could be wntebv.exe, postcard.exe, taskmon.exe or hplrfu.exe. Ending task using task manger, then deleting the files, then using regedit to find any entries then deleting those was a perfect fix for this!!!!

  • trapweed

    I have been dealing with virus issues a lot this year, and I have tried several programs. I read some positive reviews in some of the forums and got the CyberdefenderFree. Yes, it is a little confusing about what is free or not, but the fact is companies need to make money else they can’t support the software – and they use all kinds of ways do to that. You just got to know that when you install it. I really like the Cyberdefender interface, scan times and that it found what I knew was on the system, including several programs/viruses/trojans that some of the others (PC Tools, SuperAntiVirus and Norton) missed. I used it as a free scanner, but the free version does remove spyware and trojan, but you got to upgrade for virus. Eventually one came along, it caught it, and so I bought the upgrade. Ran Cyberdefender after the upgrade, and virus was gone (it got into my rootkit and also got the vundo virus which it took care of. I also like that the upgrade I got came with 24/7 computer help, which was very helpful when I went on a trip, and my wife had a printer problem and called them. They helped her out and had a positive experience with the Cyberdefender help line. So, this is my experience with Cybderdefender – really good software. Granted, different people have different experiences, but this seems to be a good company (website says they are a NASDAQ company) with a valid product. JMHO.

  • John

    I just got this today. I almost downloaded it, then realized it was sent to “Undisclosed Recipients”. The link downloads from mymedianow.net. A quick WHOIS shows it’s a New Jersey address fronting a Korean site.

    Here’s he Whois:
    Registrant: Make this info private
    Keem, Sunguk

    300 Knickerboker Rd.
    Suite 2600
    Cresskill, NJ 07626
    US

    Domain Name: MYMEDIANOW.NET

    Administrative Contact , Technical Contact :
    Keem, Sunguk
    sung.keem@gmail.com
    300 Knickerboker Rd.
    Suite 2600
    Cresskill, NJ 07626
    US
    Phone: 201-297-0000
    Fax: 123 123 1234

    Record expires on 22-May-2010
    Record created on 22-May-2007
    Database last updated on 22-May-2007

    Domain servers in listed order: Manage DNS

    NS77.WORLDNIC.COM 205.178.190.39
    NS78.WORLDNIC.COM 205.178.144.39

    Show underlying registry data for this record

    Current Registrar: NETWORK SOLUTIONS, LLC.
    IP Address: 210.181.198.164 (ARIN & RIPE IP search)
    IP Location: KR(KOREA)-REPUBLIC OF-KYONGGI-DO
    Record Type: Domain Name
    Server Type: Apache 2
    Lock Status: clientTransferProhibited
    Web Site Status: Active
    DMOZ no listings
    Y! Directory: see listings
    Secure: No
    E-commerce: No
    Traffic Ranking: Not available
    Data as of: 22-Apr-2008

    Watch out for these assholes.

  • Morgan

    I’ve found this nasty little file on my unix apache web server. Not sure how they got it on my server yet. But apparently this is how they distribute the virus. Which is just bad for the rest of us trying to run legitimate businesses. Now my servers been black listed etc. I still need to figure out which tiny little hole I have in my World facing networks. I need to plug it and then I need to repair my blacklisted status.

    Be kind to those who are seemingly hosting the file chances are they don’t even know its on their server. But by all means make them aware they are hosting it.