Think you got a cheery greeting card from a friend via e-mail?
Well, think again, and be careful before opening it. A new form of fake e-card notification e-mails are unleashing nasty viruses and virus-carrying Trojan horses on unsuspecting users.
While e-card-triggered viruses and Trojan horses are not new, the latest versions are becoming more difficult for typical antivirus and antispam defenses to detect, according to alerts issued today by security software vendors Avinti and F-Secure.
The new complication, said Dave Green, chief technology officer at Avinti, is that the latest slew of fake e-card e-mail notifications are using plain text in their messages, which don't get scanned and scrutinized by antivirus and antispam defense applications. While the e-mails don't contain pasted links or attached files that a recipient can click on to get a computer infection, many e-mail clients automatically convert the included text into a clickable link when the e-mail clients recognize a Web address in the text.
"It appears they have done that to get around a lot of the parsing used by antivirus and antispam applications" to fight such attacks, Green said. "It's an interesting cat-and-mouse game between the bad guys and the good guys."
"Apparently, they've found that they can be very successful in getting these through by not having it be formatted as an HTML message," Green said.
All recipients have to do to trigger the virus is to click on the link created by the e-mail client once they have read the message, he said.
Adding to the confusion and the potential seriousness of the problem, he said, is that the perpetrators sending these e-mails are using the names of some of the most popular electronic greeting card companies in their messages and Web links.
Avinti said it has updated its Avinti Isolation Server product to protect against such attacks, while other vendors are still updating their own products.
Avinti's alert said the links to the fake e-greeting cards lead to IP addresses in various locations, including the U.S. and Eastern Europe, and many are registered to U.S. Internet service providers. The damaging payload files are new variants of the Storm Worm virus that was first detected in January, the company said.
In its alert today, Helsinki, Finland-based security vendor F-Secure said the fake e-card messages from one group of online criminals appear to have changed since last night, when they dropped the use of attached files and went to plain-text messages.
An included link then tells the recipient to install a free "Microsoft Data Access" application to retrieve the e-card, but that file -- msdataaccess.exe -- is a damaging virus. F-Secure said it has identified the virus as Email-Worm.Win32.Zhelatin.gg.
Danny Allan, director of research at security analysis vendor Watchfire, said he has seen similar all-text e-greeting mailings before, but the numbers have increased lately.
For antivirus and antispam vendors, the theory had been that if the message includes plain text without links and attachments, it could cause no harm, he said. That approach has to change, Allan said.
