Using the happy subject line “You have recieved [sic] A Hallmark E-Card”, Win32/Mytob variants attached to spam emails have been getting around lately. The team at CA ISBU labs has monitored Mytob’s increased activity especially towards the end of Q3 2008, and you can read more by visiting the Win32/Mytob.OM and Win32/Mytob.ON malware analyses in our encyclopedia.
Now that we’ve turned the corner into the Yuletide season, we expected Win32/Mytob variants to spice up the social engineering with festive spirit, and unfortunately we were not disappointed. Today we received a new Win32/Mytob variant disguised as a Hallmark e-card, as well as McDonalds and Coca-Cola Christmas promotions. We detect the malware as Win32/Mytob.OO, and it uses this deceivingly friendly Christmas snowman file icon:
Below are full details of three spam emails sent by Win32/Mytob.OO. In the first spam email, the worm poses as a Hallmark e-card with these characteristics:
From:
postcards@hallmark.com
Subject:
You have recieved [sic] A Hallmark E-Card
Message:
Hello!
You have recieved [sic] a Hallmark E-Card from your friend.
To see it, check the attachment.
There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,
Your friends at Hallmark
Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.
Attachment:
postcard.zip
In the second spam email, Win32/Mytob.OO masquerades as a McDonalds Christmas promotion, with these details:
From:
giveaway@mcdonalds.com
Subject:
McDonalds wishes you Merry Christmas!
Message:
McDonald's is proud to present our latest discount menu.
Simply print the coupon from this Email and head to your local McDonald's for FREE giveaways and AWESOME savings.
Attachment:
coupon.zip
If a misled user executes the attachment, the worm displays the McDonalds coupon pictured below, and at the same time sends spam email to all email addresses found on the system:
The following screenshot shows an infected system connecting to different SMTP servers in order to send more Win32/Mytob.OO spam email:
For the third spam email, Win32/Mytob.OO disguises itself as a Coca-Cola Christmas promotion. The email has these details:
From:
noreply@coca-cola.com
Subject:
Coca Cola is proud to accounce [sic] our new Christmas Promotion.
Message:
December, 2008
Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details.
The trademarks listed are owned or used under license by The Coca-Cola Company and its related affiliates, as of December 31, 2006.
These trademarks may be owned or licensed in select locations only. © 2008 The Coca-Cola Company, all rights reserved.
Attachment:
promotion.zip
This Christmas season, while enjoying online communications with your family and friends, we hope you remember to keep a watchful eye out for deceptive Christmas ‘promotions’ or e-cards like the ones we’ve shown you.