eCard worm: The new batch!
After a brief period of inactivity, eCard themed spam mails seem to be back in action. As usual, these mails carry links to malware masqueraded as e-greeting cards. Here are some examples of eCard mails (note that the
Fromheader is spoofed):
This eCard malware is a mIRC based backdoor, and most of the AVs detect it. The dropper is actually a SFX file, following screenshot shows files bundled in the dropper:
When run, the dropper installs an mIRC client and also adds a WH_KEYBOARD message hook to log keystrokes. The mIRC client tries to establish connection with remote servers
126.96.36.199(whois). An automated analysis of this malware is avilable at ThreatExpert.