Q: How do you get a geek out of a tree? A: What's a tree?

Anonymous Postcard Email Virus Alert

Date/Time Permalink: 05/18/06 08:36:42 pm
Category: General

Hey, I might as well, just this once. Sooooo, if you run Windows and you get an anonymous email with a link to a postcard - don't click it, because it's a link to an .exe file. A naughty one.

I just got one. It identified itself as being from "YourFriend". The link, when I hovered my mouse over it, shows up as
http:// www .calinrap.go.ro/postcard.exe .
For what it's worth, the IP in the header is 211.156.161.173 , though it's probably fake.

Since Googling for "postcard virus" turns up hits from 2001 to 2005, I gather this is an old trick. Since I run Linux, I chuckle heartily at .exe files and download them anyway. It's pretty big at 877KB - you know it must be done in "Visual" something. It appears to involve some kind of self-extracting .rar archive. It apparently needs: KERNEL32.DLL, ADVAPI32.DLL, COMCTL32.DLL, COMDLG32.DLL, GDI32.DLL, OLE32.DLL, SHELL32.DLL, aaaaand USER32.DLL. Hey, I'm just taking guesses from looking at it in Emacs hexl-mode and running the "strings" command on it.

Interesting note: One of the strings I found in it is "?ichEdit". Now, with the first character erased, this could have been garbage left over from one of those famous DOS "deletes", or do virus writers actually edit in Microsoft Word with "Rich Edit" turned on?

Har! Har har har! Ho ho. OK, that was amusing. *Yawn*. What's on TV?

UPDATE: 12/29/06 Note the original date on this post. However, this week, there has been a huge number of searchers locating this blog while searching for stories about the attachment. I just discovered the story behind it here at Hack-in-the-Box.
As reported by one comment, there is indeed a new strain of this. Between the recent copy received at one of my email accounts and the dozen or so searches landing here every day for it, I gather that it's really spreading fast!

Follow me on Twitter for an update every time this blog gets a post.
Stumble it Reddit this share on Facebook

suddenly the moon