[Dshield] Friendgreetings.com mass emailer

Wayne Beckham wbeckham at yahoo.com
Fri Oct 25 15:57:00 GMT 2002


Does anyone have the IP address for friendgreetings.com or
surprisecards.net - I'm running a whois now, but I thought someone else
may already have the info...

Wayne Beckham
Network Administrator (Security)
Infragard Member (Los Angeles Chapter)
http://www.infragardla.com

Riverside County Information Technology
Client Services Division
1113 Spruce St.
Riverside, CA. 92507


-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Russell Washington
Sent: Friday, October 25, 2002 8:09 AM
To: 'list at dshield.org'
Subject: RE: [Dshield] Friendgreetings.com mass emailer


Craig nailed it, that's the one.  Symantec now has a doc up too:

http://securityresponse.symantec.com/avcenter/venc/data/friendgreetings.
html

Truth is that these companies can call it non-malicious all they want.
Anything that masquerades itself as coming from someone else to
facilitate propagation and mail-bombs contact lists is definitely
treading in wormspace... and I'll bet this thing does a lot more than
what the EULA authorizes although I have nothing to back that up.  We're
thinking over here that the email addresses it pulls are probably
getting culled for resale and reuse.

But that's another discussion.  For anyone looking to extract this thing
from their systems, good luck.  We're nuking the two boxes we found it
on because we can't verify their integrity.

"It's not a virus, it's not a worm... because it has a EULA" :)

-----Original Message-----
From: Tom Liston [mailto:tliston at premmag.com] 
Sent: Friday, October 25, 2002 6:47 AM
To: list at dshield.org
Subject: Re: [Dshield] Friendgreetings.com mass emailer


Could it be something like this?

http://www.theregister.co.uk/content/55/27782.html

On 24 Oct 2002 at 15:02, Russell Washington wrote:

> We've been researching an item that "landed" in an end-user's inbox
> this morning.  Given the lack of information on this mass emailer I 
> thought I should get some more seasoned eyes on it.  Here's the dump 
> of information I have to date.  Symantec is aware of this item but (at

> least when we talked
---- >8 ---- Snip! 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list