This is a generic detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download. On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed. The script which is used for the drive-by download is detected as JS/Downloader-BCZ.
Characteristics
Characteristics
Characteristics -
This threat is updated on a daily basis.
For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.
User receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard.
On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
A copy of the spammed message is as follows:
Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected.
The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.The following list of subject lines have been observed in the wild:
You’ve received a greeting card from a admirer!
You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partnerCustomers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
