Wednesday, August 15, 2007

ecard.exe now becomes msdataaccess.exe

Most of you might have got fake greeting card spam mails, with a link to download ecard. On clicking this link, you will be presented with few trojans and also advised to download and install ecard.exe to view the ecard. But now, the gang behind this malware have changed their trojan dropper's name to msdataaccess.exe from ecard.exe! Similar to the old ecard.exe variant, this new one installs malware such as Tibs rootkit etc.

Here's a screnshot of rooted files related to Tibs rootkit:

And, here's the screenshot of SSDT hook installed by the rootkit:


And lastly, I came across this ecard spam mail (Do NOT visit the link given below!):

"Partner() has created Holiday ecard for you
at bristos.com.

To see your custom Holiday ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

http://81.71.5.34/?4ee8af5c23933166b19e3393b5ca09ff74e82d

Send a FREE greeting card from bristos.com whenever you want by visiting us at:
http://bristos.com/
This service is provided and hosted by bristos.com.
"


And, that link opens up this page:

Yes! We are waiting for the contents to be uploaded by the Admins ;)

2 Comments:

Blogger Brian Walker said...

is there a way to check and see if this trojan is on my PC? A simple way, that is....
Free, too.
Thanks,
bwalker@walkercommercialfunding.com

6:24 AM  
Blogger swatkat said...

Hi,
To detect the Rootkit easily, you can try F-Secure BlackLight ( http://www.f-secure.com/blacklight/try_blacklight.html ). It's free too.
Regards...

8:33 PM  

Post a Comment

<< Home