[Dshield] Friendgreetings.com mass emailer

Craig Shaw CraigS at caamb.mb.ca
Fri Oct 25 14:14:40 GMT 2002


Sophos had an analysis.


It's not a virus, it's not a worm.. but it could be considered a nuisance

Sophos technical support has received a significant number of calls from
customers concerned about a widespread email which invites users to pick up
an "E-Card" from a website called FriendGreetings.com.

If users follow the link in the email, they are invited to install an
ActiveX control onto their computer. An end-user license agreement (EULA) is
displayed stating that by installing the application the user is giving
permission to send a similar greeting card to all addresses found in the
user's Outlook address book.

Of course, many users will not read the EULA thoroughly and will simply give
permission for the ActiveX control to be installed, thus allowing many
unwanted emails to be sent.

The emails arrive with the following characteristics:


   <Recipient name> you have an E-Card from <Sender name>



   <Sender name> has sent you an E-Card - a virtual postcard from
   FriendGreetings.com. You can pick up your E-Card at the
   FriendGreetings.com by clicking on the link below.

   <A url at www.friendgreetings.com is then displayed>

   <Recipient name>
   I sent you a greeting card. Please pick it up.
   <Sender name>

It should be noted that this is not a virus or a worm, and that the email
has no attachment.

Customers with web proxies who are concerned about users forwarding unwanted
emails may like to consider blocking access to www.friendgreetings.com. The
website is run by a Panamanian company called Permission Media, Inc.
Companies who receive unwanted email as described above may wish to complain
directly to Permission Media.


Craig Shaw
Systems Administrator
CAA Manitoba
(204) 987-6035
craigs at caamanitoba.com

-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com] 
Sent: 24-Oct-02 17:03
To: 'list at dshield.org'
Subject: [Dshield] Friendgreetings.com mass emailer

We've been researching an item that "landed" in an end-user's inbox this
morning.  Given the lack of information on this mass emailer I thought I
should get some more seasoned eyes on it.  Here's the dump of information I
have to date.  Symantec is aware of this item but (at least when we talked
to them) has it classified as "non-malicious malware" and is still debating
whether to include detection for it in the Norton Anti-Virus product.

It is probably worthwhile to figure out what the background process this
thing leaves running is actually up to.  When we locked down the NTFS (yes,
Windows, sorry) permissions on the directory containing the executable and
its DLLs, other processes (no pattern determined) became unhappy.  Might be
coincidence, might be causal.

Anyway, have at this one guys.  Our research is far from comprehensive.

The trojan runs a program called OTMS.EXE in the background and sets the
system up to restart it at each logon. What purpose this program serves is
unknown and we have been unable to test it. At this point I believe the
safest assumption to make is that it represents a security compromise, and
the process should be terminated on any machine running it. 

The program comes from an outfit called "Permission Media" and installs
something for "Friend Greetings". It looks like Friend Greetings is the user
and Permission Media is the creator. Important to note is the following
License Agreement verbage ("Friendgreetings License Agreement") that I dug
out of what appeared to be the install point: 

	1. Consent to E-Mail Your Contacts. As part of the installation
process, Permissioned Media will access your MicroSoft Outlook(r) Contacts
list and send an e-mail to persons on your Contacts list inviting them to
download FriendGreetings or related products. By downloading, installing,
accessing or using the FriendGreetings, you authorize Permissioned Media to
access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized
e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO

End User Zero claimed they never saw this agreement.  However, Symantec
claimed that this verbage is in fact presented and we have confirmed this.
Either way it explains exactly what we saw, which was that the first
infected machine started shoveling customized-to-the-contact copies of the
original email to everyone in the victim's address book.

We only found one reference in Google that I was able to find under a
variety of searches, and the message thread only underscores the unknown
nature of this program. You can find the thread at
http://forums.techguy.org/t100166/s49b6012a49a2b50020b83e4d76bce31f.html. It
should be noted that one of the filenames installed, "winsrvc.exe", is
referenced in knowledge bases as being associated with the 2000-era Navidad
virus. This does not appear to be the same program or even a variant. 

Technical details known to date: 

The installer uses an MSI package and invokes the Windows Installer service.

The installer placed materiel in the directories c:\program files\common
files\media, c:\temp\_IS5, and
c:\temp\{499AFE40-6C35-483D-B6F3-F6AB95C2E6EC}. The last two directories may
be temporary install points that are deleted when installation is
successfully completed. The "license agreements" are in the last directory. 

The installer inserts the item "PMedia" under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value C:\Program
Files\Common Files\Media\OTMS.exe. 

The installer invokes OTMS.EXE with the obvious intent of having it run this
process in the background. 

The installer places an application called "WinSrv Reg" in Add/Remove
Programs (HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall)

---- Begin original message---- 
From: (infected sender) 
Sent: Thursday, October 24, 2002 9:59 AM 
To: (Recipient email "friendly name" in sender's Outlook Contacts folder) 
Subject: (recipient first name) you have an E-Card from . 
has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link
(recipient first name), 
I sent you a greeting card. Please pick it up. 
----End original message---- 

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list