[Dshield] Friendgreetings.com mass emailer

Jason Allen jallen at garden-city.org
Fri Oct 25 15:53:12 GMT 2002


We've found one in an inbox, but would you believe it.....the user actually
CALLED us before she clicked it!!!!! Is this POSSIBLE??? :) Glorious day!!!
We have since blocked the site at the firewall and made sure MSI files are
blocked with our Antigen. Hopefully that'll slow 'em down a little. :)

-----Original Message-----
From: Russell Washington [mailto:russ.washington at vaultsentry.com]
Sent: Friday, October 25, 2002 8:09 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer


Craig nailed it, that's the one.  Symantec now has a doc up too:

http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.html

Truth is that these companies can call it non-malicious all they want.
Anything that masquerades itself as coming from someone else to facilitate
propagation and mail-bombs contact lists is definitely treading in
wormspace... and I'll bet this thing does a lot more than what the EULA
authorizes although I have nothing to back that up.  We're thinking over
here that the email addresses it pulls are probably getting culled for
resale and reuse.

But that's another discussion.  For anyone looking to extract this thing
from their systems, good luck.  We're nuking the two boxes we found it on
because we can't verify their integrity.

"It's not a virus, it's not a worm... because it has a EULA" :)

-----Original Message-----
From: Tom Liston [mailto:tliston at premmag.com] 
Sent: Friday, October 25, 2002 6:47 AM
To: list at dshield.org
Subject: Re: [Dshield] Friendgreetings.com mass emailer


Could it be something like this?

http://www.theregister.co.uk/content/55/27782.html

On 24 Oct 2002 at 15:02, Russell Washington wrote:

> We've been researching an item that "landed" in an end-user's inbox 
> this morning.  Given the lack of information on this mass emailer I 
> thought I should get some more seasoned eyes on it.  Here's the dump 
> of information I have to date.  Symantec is aware of this item but (at 
> least when we talked
---- >8 ---- Snip! 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal 
- For more information please visit www.nwtechusa.com
#####################################################################################




More information about the list mailing list