Morphing ecards

As Hurricane Dean hits the coast of South America there seems to be no end to the ecard storm. Though the spammers are changing the mails they are failing to permanently sidestep SophosLabs’s proactive Genotype detection.

The new campaign has little in common with the old one:-

Message Body

This email pretends to contain login details or registration information for a website. Clicking on the link (which is still using IP addresses instead of links) leads you to a malicious download.

Looking at that IP address via an internal tool Sourcedec:

Sourcedec output

The eagle-eyed amongst you will notice that the malware author still tries to get the user to manually download files as well as not having a liking for one of our competitors.

The actual files are:

>>> Virus ‘Troj/JSXor-Gen‘ found in file /data2/srcdec/files/
>>> Virus ‘Mal/Dorf-E‘ found in file /data2/srcdec/files/15.pee

Sophos users need not fear, as the current shipping versions of our products already detect them.