Home page logo

educause logo Educause Security Discussion mailing list archives

Hallmark trojan
From: Dick Jacobson <Dick.Jacobson () NDUS NODAK EDU>
Date: Tue, 18 Nov 2008 10:54:47 -0600

We are getting hammered by a Hallmark trojan.  This appears to be what
McAfee calls Spam.Mailbot.i.  However, McAfee does not pick it up so it
could be a variant of that one.

I am wondering if anyone else is seeing this ?  And if you have a
sure-fire way to detect and clean it ?

The email I received is
Date: Mon, 17 Nov 2008 17:15:23 -0600
From: postcards () hallmark com
To: copyright.abuse () ndus nodak edu
Subject: You've received A Hallmark E-Card!
    1 Shown      5 lines  Text (charset: Windows-1252)
    2          343 KB     Application

Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown
       You have recieved A Hallmark E-Card.


You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make
a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the
bottom of this E-mail to view our policy.

Hallmark.com | Privacy & Security | Customer Service | Store Locator


It has a postcard.zip attachment that carries the nasties.

One of our campuses had this for remediation :
-       McAfee doesn't find any infected files for this, but AVG Free =
         find the infected files.
-       Wntfy.exe is the bad file that is located in C:\Windows\System32
-       Process called wntfy.exe
-       Registry entries for wntfy
Kill the wntfy.exe process, delete the file out of System32, and =
search/delete all wntfy entries in the registry.  Reboot.

That same campus mentioned a kdll.exe file in the system32 directory and a
registry entry that needed to be manually removed also.

Another office said :
The web site is
AVG Anti-Virus
download, install, update dats and run

Another said :
The program that actually detected this for us was MalWareBytes.
http://www.malwarebytes.com/  We are in the process of verifying that the
clean was successful.

The result is that none of these appear to completely clean the machine.
Any thoughts ?

Dick Jacobson                   e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer        office : STTC 219
                phone  : 701-231-6280 <NEW phone number>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]