PANGosaurus
Sun, 17 Nov 2002 19:26:15 -0800
Colext/Macondo Cantina virtual de los COLombianos en el EXTerior --------------------------------------------------
You are getting this just because you are on my email Address List (PANG's). DO NOT DOWNLOAD installer programs for E-Cards! Currently making the rounds across the internet is a nuisance called the "Friend Greeting Application". This is an e-mail worm. Victims receive an e-mail with the subject line: "you have an E-Card from [x]", where [x] is someone you know. Within the received e-mail is a link to a web address on the site "www.friendgreetings.com". (An E-Card, for those who don't know, is an "electronic greeting card".) Do not click on the link. Clicking on the link will take you to the specified web address, which will then attempt to download an installer program for the Friend Greeting application to your computer. This program, once installed, will send an e-mail like the above to everyone in your address book (for Outlook users). (It does not actually show you an "e-card".) For detailed information, see the following McAfee web page: http://vil.mcafee.com/dispVirus.asp?virus_k=99760 Virus Profile Virus Information Name: Friend Greeting application Date Discovered: 10/24/2002 Date Added: 10/24/2002 Origin: Unknown Length: 1,142,044 bytes Type: Program SubType: - DAT Required: 4231 Virus Characteristics Due to the fact that this program requires users to download an installer, and agree to allow the program to email a link back to the website to all Microsoft Outlook contacts, this is not considered to be a virus. However, application detection is included in the 4231 DAT files when using the command-line scanner. See the removal instructions for more information. This application works when visiting a specific webpage on the www.friendgreetings.com website. A link to this page arrives in an email message as described below. Once this page has loaded, users are prompted to download and run an installer package. Selecting YES will download the installer. An MSI installer package is run and the user is prompted to accept 2 End User License Agreements (EULA). Within the second EULA is the following statement: Once this agreement has been accepted, the program emails all users in the Outlook Address book with the following message: Subject: %Recipient% you have an E-Card from %Sender%. Body: Greetings! %sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You can pickup your E-Card at the FriendGreetings.com by clicking on the link below. http://www.friendgreetings.com/pickup/pickup.aspx?code=%recipient%&id=%code% Message: ------------------------------------------------------------------------ %Recipient%, I sent you a greeting card. Please pick it up. %Sender% ------------------------------------------------------------------------ Indications Of Infection Presence of the following files: Friend Greetings.msi or Friend%20Greetings[1].msi %Program Files%\Common Files\Media\Otms.exe %Program Files%\Common Files\Media\OTDock.dll %Program Files%\Common Files\Media\Otglove.dll %Program Files%\Common Files\Media\Otupdate.exe %Program Files%\Common Files\Media\Winsrvc.dat %Program Files%\Common Files\Media\Winsrvc.exe Method Of Infection An effect of one of the components of this application results in minimized Windows and applications being hidden from the taskbar. Removal Instructions Use the ADD/REMOVE Programs Control Panel in Windows to remove the Friend Greetings application, as well as the WinSrv Reg application. This will uninstall this program. This application installer creates an executable named TAFW.EXE. This executable is responsible for the mass-mailing routine. Before mailing, it checks for the presence of a file name AS.INI in the \Program Files\Common Files (%ProgDir%\Common files) folder. If this file already exists the application does not mass-mail. If it does not exists the mailing commences, afterwards the TAFW.EXE file creates a 0 byte file name AS.INI. To prevent potential mass-mailing of this application, administrators and users may wish to create this INI file: \PROGRAM FILES\COMMON FILES\AS.INI. When using the specified scan engine, the command line scanner with the /PROGRAM /CLEAN switches will detect and remove this application when using the specified DAT files. On access scanners will not detect this application, except for gateway scanners. Ensure that you are running the specified DATs and Engine Click the START button Click RUN Type COMMAND and hit ENTER Type: c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /clean and hit ENTER. Administrators may choose to block the following sites associated with this application: www.friendgreetings.com www.friendgreetings.net www.friend-greetings.com www.friend-greetings.net www.friend-greeting.com www.friend-cards.net www.friend-cards.com www.friend-card.com www.cool-downloads.net www.cool-downloads.com www.laugh-mail.com www.laugh-mail.net Aliases FriendGreetings.com, W32.Friendgreet.worm (Symantec) About McAfee Security Advertise With Us Affiliate Program Contact Us Investors Partners Press Privacy Store Locator McAfee is a business unit of Network Associates, Inc. © 2002, Networks Associates Technology, Inc. All Rights Reserved. =================================== PANGosaurus*********** ** CyberCogito ergo CyberSum ** *****************<[EMAIL PROTECTED]> -------------------------------------------------------------- To unsubscribe send an email to: [EMAIL PROTECTED] with UNSUBSCRIBE COLEXT as the BODY of the message. Un archivo de colext puede encontrarse en: http://www.mail-archive.com/colext@talklist.com/ cortesia de Anibal Monsalve Salazar