Everybody loves me!

A lot of people came back to work on Monday thinking they had a lot of new friends.  During the weekend, we observed a very high volume of fake greeting card being sent by e-mail.  Of course, these cards don’t come from anonymous friends but from anonymous malware authors wanting to increase the size of their botnets.  The links included in the e-mails don’t point to a nice message but to an executable file that infects your computer with the latest generation of malware.

The first wave of fake greeting cards was generated by the gang behind the Nuwar threat.  It sent e-mails informing the recipient that he received a postcard with instructions on how to download and execute a file.

If a user clicks on one of the links included in the e-mail, he is redirected to a site that tries to exploit security flaws in popular internet browsers and install the latest variant of Nuwar.  The Nuwar threat, also called Peacomm by other vendors, uses infected computers to send pump and dump e-mails.  Only a couple of hours after the first run of malicious e-mails, the network of newly infected computers was used to send e-mails, advising the recipient to buy some stock in a fast growing company.

Other groups of malware creators found the technique used by Nuwar to be effective and other malicious greeting card e-mails have been observed carrying other families of threats.  We have seen forged e-mails claiming to be from hallmark.com and containing links to files with names like ‘ecard.exe’.  These files are self-extracting RAR archives containing malware related to the Zapchast family, an IRC backdoor program.  NOD32 labels these e-cards with “Multiple Infections” because they contain multiple files that are each labeled with different names.  In general, as with Phishing emails, be very careful when you get such email. For instance, check where it’s coming from, who it’s been sent to (is it your full name, with your correct email address), check where the links go (you can usually see this by hovering your mouse over the link) and if you aren’t sure, be safe, and delete the mail.

The social engineering techniques being used to propagate malware are ever more sophisticated, so keep your anti-malware scanner updated, and think before you click!

Pierre-Marc Bureau

Author Pierre-Marc Bureau, ESET

  • Hi Pierre-Marc,
    Thanks for this post. I like how you traced the history of the two major variations of the Hallmark Card virus. And your advice to readers/users about thinking before you click.

    I’ve heard now there’s another new nastier Nuwar variation. Read it on a different blog that I can’t seem to find again.

    I’m going link back to this site from my blog.

    Thank you,

  • I’ve seen recent references/analyses re Nuwar on a multiscanner site, but I’m not convinced that they’re looking at a major Storm resurgence. Of course, there’s a lot of code recycling out there in botnet land…

Follow us

Copyright © 2017 ESET, All Rights Reserved.