NEWS FROM THE LAB - Wednesday, December 5, 2007

More Christmas Card Action Posted by Mikko @ 10:42 GMT

We've just seen another fake Christmas card malware run.

E-mails looked like this:

Fake Yahoo Greeting Cards

The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site).

Fake Yahoo Greeting Cards

The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37).

We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website.

Fake Yahoo Greeting Cards

Update: Another domain is being used too, registered by the same person — http://www.yahoo.americangreetings.com.droeang.net.