[Dshield] Friendgreetings.com mass emailer

Russell Washington russ.washington at vaultsentry.com
Thu Oct 24 22:02:53 GMT 2002

We've been researching an item that "landed" in an end-user's inbox this
morning.  Given the lack of information on this mass emailer I thought I
should get some more seasoned eyes on it.  Here's the dump of information I
have to date.  Symantec is aware of this item but (at least when we talked
to them) has it classified as "non-malicious malware" and is still debating
whether to include detection for it in the Norton Anti-Virus product.

It is probably worthwhile to figure out what the background process this
thing leaves running is actually up to.  When we locked down the NTFS (yes,
Windows, sorry) permissions on the directory containing the executable and
its DLLs, other processes (no pattern determined) became unhappy.  Might be
coincidence, might be causal.

Anyway, have at this one guys.  Our research is far from comprehensive.

The trojan runs a program called OTMS.EXE in the background and sets the
system up to restart it at each logon. What purpose this program serves is
unknown and we have been unable to test it. At this point I believe the
safest assumption to make is that it represents a security compromise, and
the process should be terminated on any machine running it. 

The program comes from an outfit called "Permission Media" and installs
something for "Friend Greetings". It looks like Friend Greetings is the user
and Permission Media is the creator. Important to note is the following
License Agreement verbage ("Friendgreetings License Agreement") that I dug
out of what appeared to be the install point: 

	1. Consent to E-Mail Your Contacts. As part of the installation
process, Permissioned Media will access your MicroSoft Outlook(r) Contacts
list and send an e-mail to persons on your Contacts list inviting them to
download FriendGreetings or related products. By downloading, installing,
accessing or using the FriendGreetings, you authorize Permissioned Media to
access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized
e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO

End User Zero claimed they never saw this agreement.  However, Symantec
claimed that this verbage is in fact presented and we have confirmed this.
Either way it explains exactly what we saw, which was that the first
infected machine started shoveling customized-to-the-contact copies of the
original email to everyone in the victim's address book.

We only found one reference in Google that I was able to find under a
variety of searches, and the message thread only underscores the unknown
nature of this program. You can find the thread at
http://forums.techguy.org/t100166/s49b6012a49a2b50020b83e4d76bce31f.html. It
should be noted that one of the filenames installed, "winsrvc.exe", is
referenced in knowledge bases as being associated with the 2000-era Navidad
virus. This does not appear to be the same program or even a variant. 

Technical details known to date: 

The installer uses an MSI package and invokes the Windows Installer service.

The installer placed materiel in the directories c:\program files\common
files\media, c:\temp\_IS5, and
c:\temp\{499AFE40-6C35-483D-B6F3-F6AB95C2E6EC}. The last two directories may
be temporary install points that are deleted when installation is
successfully completed. The "license agreements" are in the last directory. 

The installer inserts the item "PMedia" under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value C:\Program
Files\Common Files\Media\OTMS.exe. 

The installer invokes OTMS.EXE with the obvious intent of having it run this
process in the background. 

The installer places an application called "WinSrv Reg" in Add/Remove
Programs (HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall)

---- Begin original message---- 
From: (infected sender) 
Sent: Thursday, October 24, 2002 9:59 AM 
To: (Recipient email "friendly name" in sender's Outlook Contacts folder) 
Subject: (recipient first name) you have an E-Card from . 
has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link
(recipient first name), 
I sent you a greeting card. Please pick it up. 
----End original message---- 

More information about the list mailing list