Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2008

MA-123.012008: MyCERT Special Alert - Malicious New Year Card Emails

Original Issue Date: 4th Jan 2008

MyCERT had observed mass circulation of New Year card spam emails on the eve of New Year. The spam contains link that when clicked, will redirect users to to download a malicious program called Happy -2008.exe. Our analysis had shown that.

The subject lines of the spam emails include the followings:

Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It.s the new Year
As the new year.
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year

The messages contained in the mail has simple messages such as the following:

A fresh new year
http://uhavepostcard.com/
New Year wishes for you
http://happycards2008.com/
Joyous new year
http://uhavepostcard.com/

Our analysis have shown that the IP addresses of the malicious domains involved keeps on changing. By employing such technique the attacker makes it difficult for efforts to remove sites serving malicious programs.

The program, happy-2008.exe itself, is a malware known as zhelatin/pearcom or storm worm which uses peer-to-peer technology to as a communication channel.

Attached is the scan-result produced by ClamAV antivirus:

$ clamscan happy-2008.exe.1 No Ubuntu promotion please :-) happy-2008.exe.1: Trojan.Zhelatin FOUND

----------- SCAN SUMMARY -----------
Known viruses: 181122
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.39 MB
Time: 1.578 sec (0 m 1 s)
---------------------------------------------------

Details on the malicious spam emails is available at:

http://www.f-secure.com/weblog/archives/00001350.html
http://blog.trendmicro.com
http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/

We advise members/users to be extra cautious when receiving such emails. We advise NOT TO click on the malicious link attached in the email or delete any such emails received.

Mitigation Steps

As for preventive steps, we advise the followings:

Do not click on any links attached in unknown emails, as the links may redirect to malware sites.
Make sure your PCs and browsers are properly patched with latest patches.
Make sure your PC is installed with latest anti-virus softwares and always updated with latest signature files.
Report to CERTs/ISPs on any suspicious emails that you receive.