Category "Undernet bots"
April 19, 2007
2007/04/19 postcards.gif.exe (mIRC)
Date Discovered: 2007/04/19
Time Discovered: 08:45 CDT
Bot File Location: %WINDIR%\System32\Explorer.exe, %WINDIR%\System\svchost.exe, and many other mIRC-related files in %WINDIR%\System\ (Typically C:\WINDOWS\system on a Windows XP PC)
Size of Bot File: (svchost.exe is 1.70 MB, and is created once postcards.gif.exe, a self extracting executable, is run) (postcards.gif.exe is 998 KB when downloaded)
MD5sum of Bot File: (postcards.gif.exe is fdc674c1b16fb5bdf31e4427803dc70b)
Known method(s) of infection: Bogus Email message with subject of "You just recieved a Electronic Greeting." or similar. Message contains a link to http:(slash)(slash)59.106.27.38(slash)postcards.gif.exe
SAV Status: Detects explorer.exe as "W32.Jeefo", servers.ini as "Trojan Horse" and script.ini as "Backdoor.IRC.Flood". However, the rest of the IRC bot will apparently still run. (Symantec might be detecting the entire kit as "W32.Jeefo" in virus definition files dated today or later)
Installs Spyware?: not likely
Possible Removal Instructions: Right click on the transparent icon on the System Tray (typically the bottom right corner of Windows taskbar - where the clock is), and close mIRC. Then delete %WINDIR%\System\svchost.exe, and remove it from startup within the registry (using msconfig might be the easiest option on Windows XP).
Comments: Yet another "Postcard Trojan" that connects to Undernet using mIRC. These are a dime a dozen. If folks are running with typical User privileges, this can't install itself. Folks have to click the link in the Email, then choose "Open" or "Run" to be infected, or else save it to disk and run it manually. It is not exploiting any flaw in Windows, just using "Social Engineering" to spread. It doesn't spread itself, the connections to Undernet are the telltale sign of infection, especially ones that begin shortly after downloading roughly one MB from the IP address hosting the malware.
Posted by eckman at 9:42 AM | Undernet bots