Virus:   You've Received a Postcard from a Family Member!

Status:   Real virus.

Examples:   [Collected via e-mail, June 2007]

Subject: You've received a postcard from a family member!

Good day.

Your family member has sent you an ecard from notme.hk.

Send free ecards from notme.hk with your choice of colors, words and music.

Your ecard will be available with us for the next 30 days. If you wish to keep
the ecard longer, you may save it on your computer or take a print.

To view your ecard, choose from any of the following options:

--------
OPTION 1
--------

Click on the following Internet address or
copy & paste it into your browser's address box.

http://notme.hk/?6e47840d8e117868911e6c3  <<<click here for protection*****

--------
OPTION 2
--------

Copy & paste the ecard number in the "View Your Card" box at
http://notme.hk   <<< click here for protection*****

Your ecard number is
6e47840d8e117868911e6c3

Best wishes,
Postmaster,
notme.hk

*If you would like to send someone an ecard, you can do so at
http://notme.hk/

Variations:   Other subject lines used with this message include the following:

• You've received a Hallmark E-Card!
• You've received a greeting card from a school-mate!
• You've received a greeting ecard from a class mate!
• You've received a greeting ecard from a neighbor!
• You've received a greeting postcard from a partner!
• You've received a greeting postcard from a worshipper!
• You've received a postcard from a family member!
• You've received a postcard from a neighbor!
• You've received a postcard from a worshipper!
• You've received an ecard from a colleague!
• Class-mate sent you an ecard from vintagepostcards.com!
• Colleague sent you a greeting ecard from postcardsfrom.com!
• School mate sent you a greeting ecard from greetingcard.org!
• Family member sent you a postcard from dgreetings.com!
• Neighbour sent you a greeting ecard from NetFunCards.com!
• School-mate sent you an ecard from mypostcards.com!
• Worshipper sent you an ecard from greetingcard.org!
• Colleague sent you a postcard from egreetings.com!
• Neighbour sent you a greeting ecard from all-yours.net!
• School friend sent you an ecard from postcards.org!
• Holiday e-card
• Movie-quality e-card
• Love postcard
• Birthday e-card
• Thank you card
• Musical postcard
• Funny postcard

Origins:   Many web sites offer a service that allows a user to send a customized "greeting card" (or "postcard") to a relative, friend, or acquaintance, delivered as an e-mail message containing a hyperlink which the recipient follows to visit the originating site and  view the card. Sending out phony e-card notifications is therefore an effective method of camouflaging viruses and inducing unwitting recipients into clicking on links that install malicious programs onto their computers.

A wave of malicious messages (like the one reproduced above) sent out in June 2007 employed that very technique, arriving in inboxes bearing subject lines such as "You've received a postcard from a family member!" The messages contain URLs that recipients are supposed to visit to retrieve their e-cards, but those URLs actually point to servers hosting a variety of malware (including a variant of the Storm Trojan, "an aggressive piece of malware that has been hijacking computers to serve as attacker bots" since early 2007) that is furtively installed onto victims' PCs. (Generally, only unpatched (<<<<windows update patch)  Windows-based systems are vulnerable.)

Since many of these malicious messages imitate notifications from legitimate e-card sites, recipients should get into the habit of never clicking on links contained within e-card notification e-mails. Instead, go directly to the web site of the card company, find the card pickup page within that site, and enter the ID code included in the e-mail. (If the message was a fake, the worst that will happen is that you won't get a card.)

 our article about the "Virtual Card for You" hoax. They're not the same thing, despite some e-mail warnings that erroneously present them as such.

Virus:   Storm Worm.

Status:   Real.

Example:   [Collected via e-mail, 2007]

Subj:  230 dead as storm batters Europe

Attachment:  Video.exe

Origins:   The "Storm Worm" (so named because the spam e-mail messages that carried it commonly bore the subject line "230 dead as storm batters Europe") began hitting computers around the world in mid-January 2007. The malicious payload it carries (which may be one of several, including Trojan.Peacomm or Win32.Small.DAM, a variant of Win32.Small) affects most Windows-based platforms (i.e., Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP) and is spread as an attachment to e-mail messages, one that installs a Trojan horse onto the message recipient's computer.

The Storm Worm may arrive in a message with any of the following subject lines (intended to lure the recipient into reading the message by offering a political headline of great interest):

• 230 dead as storm batters Europe.
• A killer at 11, he's free at 21 and...
• British Muslims Genocide
• Naked teens attack home director.
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Russian missle shot down Chinese satellite
• Russian missle shot down USA aircraft
• Russian missle shot down USA satellite
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Sadam Hussein alive!
• Sadam Hussein safe and sound!
• Radical Muslim drinking enemies' blood.
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: "Let's the War beginning".
• Hugo Chavez dead.
• President of Russia Putin dead.
• Third World War just have started!.
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!.
• The commander of a U.S. nuclear submarine lunch the rocket by mistake..
• First Nuclear Act of Terrorism!.
• So in Love
• Happy World Religion Day!
• Most Beautiful Girl
• Someone at Last
• I Believe
• The Dance of Love
• The Miracle of Love
• All For You
• Vacation Love
• I am Complete
• Wrapped Up
• Moonlit Waterfall
• A Little (sex) Card
• A Special Kiss
• Hugging My Pillow
• Safe and Sound
• You're Soo kissable
• A Romantic Place
• Breakfast in Bed Coupon
• For You
• I Love You So
• Want to Meet?
• We Are Different
• We Have Walked
• You Asked Me Why

The attachment filename may be any of the following:

• Full Clip.exe
• Full Story.exe
• Read More.exe
• Video.exe
• Full Video.exe
• Full Text.exe
• Flash Postcard.exe

In April 2007 a new variant of Trojan.Peacomm was unleashed on the Internet, this one varying from the previous "Storm worm" attack in that the attachments carrying the payload were password-protected .ZIP files (which recipients were tricked into unzipping and running to putatively protect themselves from some other worm). E-mails containing this variant typically had subject lines such as the following:

• ATTN!
• Spyware Alert!
• Spyware Detected!
• Trojan Alert!
• Trojan Detected!
• Virus Activity Detected!
• Virus Alert!
• Virus Detected!
• Warning!
• Worm Activity Detected!