Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Hallmark trojan
From: "Woodle, I Wesley (Wes)" <iwoodle () UTK EDU>
Date: Tue, 18 Nov 2008 13:03:31 -0500

If any of you have the attachment, would you please zip it up with basic
encryption and password protect it with the word "infected" and then email
it to me directly or submit it to the AVERT Labs web site so that we can
make sure they have created signatures to detect it?


I. W. Woodle [Wes]
University of Tennessee
Information Security Office
(865) 556-8898  iwoodle () tennessee edu

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ken Connelly
Sent: Tuesday, November 18, 2008 12:04 PM
Subject: Re: [SECURITY] Hallmark trojan

We've had a few (<100 so far) that have been identified by our e-mail
A/V engine and dropped.  A few with the same subject (probably with an
embedded URL, but no attachment) from several days ago were quarantined
as spam.

- ken

Dick Jacobson wrote:
We are getting hammered by a Hallmark trojan.  This appears to be what
McAfee calls Spam.Mailbot.i.  However, McAfee does not pick it up so
it could be a variant of that one.

I am wondering if anyone else is seeing this ?  And if you have a
sure-fire way to detect and clean it ?

The email I received is
Date: Mon, 17 Nov 2008 17:15:23 -0600
From: postcards () hallmark com
To: copyright.abuse () ndus nodak edu
Subject: You've received A Hallmark E-Card!
    1 Shown      5 lines  Text (charset: Windows-1252)
    2          343 KB     Application

Hallmark.com Shop Online Hallmark Magazine E-Cards & More At Gold Crown
       You have recieved A Hallmark E-Card.


You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to
a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at
bottom of this E-mail to view our policy.

Hallmark.com | Privacy & Security | Customer Service | Store Locator


It has a postcard.zip attachment that carries the nasties.

One of our campuses had this for remediation :
-       McAfee doesn't find any infected files for this, but AVG Free =
         find the infected files.
-       Wntfy.exe is the bad file that is located in C:\Windows\System32
-       Process called wntfy.exe
-       Registry entries for wntfy
Kill the wntfy.exe process, delete the file out of System32, and =
search/delete all wntfy entries in the registry.  Reboot.

That same campus mentioned a kdll.exe file in the system32 directory
and a registry entry that needed to be manually removed also.

Another office said :
The web site is
AVG Anti-Virus
download, install, update dats and run

Another said :
The program that actually detected this for us was MalWareBytes.
http://www.malwarebytes.com/  We are in the process of verifying that
the clean was successful.

The result is that none of these appear to completely clean the
machine. Any thoughts ?

Dick Jacobson            e-mail : Dick.Jacobson () ndus NoDak edu
NDUS IT Security Officer    office : STTC 219
        phone  : 701-231-6280 <NEW phone number>

- Ken
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]