NEWS FROM THE LAB - Wednesday, August 15, 2007

Zhelatin gang changing tactics Posted by Mikko @ 08:16 GMT

Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out.

The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.

Since last night, the messages have changed. You still get the normal greeting card spam:

Message Data 1

But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer. Conveniently, they have it available for download, for free.

Message Data 2

Of course, the downloaded file msdataaccess.exe turns out to be the gift that keeps on giving. Avoid it like the plague.

Message Data 3

In general, it's a bad idea to follow such unsolicited links from e-mail. Don't even try the above URL just for fun. For example, if you access the page with an outdated version of Firefox or IE, the page will render with a nasty exploit code that will try to infect your computer immediately. Opera doesn't seem to be targeted at the moment.

This operation is apparently the work of the same gang that did the original "Storm worm" run in January 2007.

We detect the latest variants as Email-Worm.Win32.Zhelatin.gg.