Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Hallmark trojan
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Tue, 18 Nov 2008 11:03:38 -0600

We've had a few (<100 so far) that have been identified by our e-mail
A/V engine and dropped.  A few with the same subject (probably with an
embedded URL, but no attachment) from several days ago were quarantined
as spam.

- ken

Dick Jacobson wrote:
We are getting hammered by a Hallmark trojan.  This appears to be what
McAfee calls Spam.Mailbot.i.  However, McAfee does not pick it up so
it could be a variant of that one.

I am wondering if anyone else is seeing this ?  And if you have a
sure-fire way to detect and clean it ?

The email I received is
Date: Mon, 17 Nov 2008 17:15:23 -0600
From: postcards () hallmark com
To: copyright.abuse () ndus nodak edu
Subject: You've received A Hallmark E-Card!
    1 Shown      5 lines  Text (charset: Windows-1252)
    2          343 KB     Application

Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown
       You have recieved A Hallmark E-Card.


You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to
a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at
bottom of this E-mail to view our policy.

Hallmark.com | Privacy & Security | Customer Service | Store Locator


It has a postcard.zip attachment that carries the nasties.

One of our campuses had this for remediation :
-       McAfee doesn't find any infected files for this, but AVG Free =
         find the infected files.
-       Wntfy.exe is the bad file that is located in C:\Windows\System32
-       Process called wntfy.exe
-       Registry entries for wntfy
Kill the wntfy.exe process, delete the file out of System32, and =
search/delete all wntfy entries in the registry.  Reboot.

That same campus mentioned a kdll.exe file in the system32 directory
and a registry entry that needed to be manually removed also.

Another office said :
The web site is
AVG Anti-Virus
download, install, update dats and run

Another said :
The program that actually detected this for us was MalWareBytes.
http://www.malwarebytes.com/  We are in the process of verifying that
the clean was successful.

The result is that none of these appear to completely clean the
machine. Any thoughts ?

Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer    office : STTC 219
        phone  : 701-231-6280 <NEW phone number>

- Ken
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]