[klmtfsat_private: Your Online Greeting Awaits You!]

From: diphenat_private
Date: Sun Aug 12 2001 - 02:05:08 PDT

Next message: Justin Shore: "Re: What the *** is this"

Previous message: David LeBlanc: "Variant that hits more than c: and d:???"
Next in thread: Mark Collins: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Mark Collins: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Jay D. Dyson: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: freeholdat_private: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Brett Glass: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Has anyone run across this before? It showed up in one of my other email
accounts this evening. When you go to the site it displays a message
about 'Image Browser Not Supported'. What this links to is a file called
american.exe. It appears to be a win32 binary containing some sort of
file archive. Unfortunately I don't have good facilities (or expertise,
really) for figuring out what this thing does. If anyone with more
windows expertise wants to take a look, you can grab the file from the
site, or I can forward a copy. I'm guessing it's some sort of trojan.

(The reason this makes me suspicious is that the rest of the site appears
to be entirely bogus. The first supplied url is www.greetingcardsusa.cc,
but all the links from the page go to americangreetingz.net, which
doesn't resolve. Also, the american.exe link is just an ip. It
reverse-resolves to paypalgreen.com, which also looks rather weird.)

Thanks.

-gabe

----- Forwarded message from klmtfsat_private -----

Delivered-To: diphenat_private
Resent-Message-Id: <200108120841.f7C8fB116856at_private>
X-envelope-info: <KLMTFS1at_private>
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
From: klmtfsat_private
To: chagrusat_private
Date: Sun, 12 Aug 2001 04:26:42 -0800
Subject: Your Online Greeting Awaits You!
X-OriginalArrivalTime: 12 Aug 2001 08:14:07.0296 (UTC) FILETIME=[C1E65C00:01C12306]

Hello!  We're writing to let you know that someone has sent you a greeting. 

To pick up your greeting, simply click on this link: 
http://www.GreetingCardsUSA.cc?aspickup.pd?i=710242162&m=1732&rr=y 

If your e-mail program doesn't recognize the above address as a link, just 
copy and paste the address into your web browser's "address" window. 

We hope you enjoy your greeting. If you have any questions feel free to email 
us at the address below. 

Thanks! 

James Cordman 
jamesat_private 
GreetingCardsUSA.cc 
Know one knows Greetings Like American Greetingz! 

----- End forwarded message -----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Justin Shore: "Re: What the *** is this"
Previous message: David LeBlanc: "Variant that hits more than c: and d:???"
Next in thread: Mark Collins: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Mark Collins: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Jay D. Dyson: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: freeholdat_private: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Reply: Brett Glass: "Re: [klmtfsat_private: Your Online Greeting Awaits You!]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 10:56:31 PDT