Educause Security Discussion
mailing list archives
From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Tue, 3 Jul 2007 13:38:46 -0400
We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.
For details, see: http://isc.sans.org/diary.html?storyid=3063
I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.
Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
Matt Gracie (716) 888-2403
Information Security Administrator graciem () canisius edu
Canisius College ITS 425531N / 0785109W
- "postcard" spams. Matthew Gracie (Jul 03)