Christmas is two weeks away, but bad guys have begun heating the holiday’s atmosphere with a new virus spreading campaign through emails faking Christmas Greeting Cards.

A spoof E-card

Virus with Santa icon

Due to the information collected by our Honeypot system, the ones behind this campaign are the group of hackers who have been taking advantage of popular online services (Facebook, Hi5, Twitter, Google, Hallmark, etc.) to spread virus in recent times.

This virus (named W32.Christecard.Worm by Bkav), when executed will:
Generates the following files:

-    %SystemDir%\AdobeARM.exe
-    %SystemDir%\adobe3.exe
-    %SystemDir%\adobe4.exe
-    %Windir%\nherdm.dll

Creates key:
-    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

Adobe Updater1 = “%System%\AdobeARM.exe”
Pwulinubesida = “rundll32.exe “%Windir%\nherdm.dll”,Startup”

Injects its malicious code into the system’s process “explorer.exe”, sends spoofing e-cards with virus to spread, connects to servers of the following IP addresses:

-    72.233.89.199
-    94.75.221.78

Christmas is coming with increasing demand for sending best wishes via E-cards. Everyone wants to receive such cute cards from relatives, friends, but don’t lose your vigilance with the files attached with these cards.

Nguyen Cong Cuong

Senior Malware Researcher