- You've received a greeting card from a class-mate!
- You've received a greeting card from a colleague!
- You've received a greeting card from a family member!
- You've received a greeting card from a friend!
- You've received a greeting card from a neighbor!
- You've received a greeting card from a school mate!
- You've received a greeting ecard from a class-mate!
- You've received a greeting ecard from a colleague!
- You've received a greeting ecard from a family member!
- You've received a greeting ecard from a friend!
- You've received a greeting ecard from a neighbour!
- You've received a greeting ecard from a partner!
- You've received a greeting ecard from a worshipper!
- You've received a greeting postcard from a colleague!
- You've received a greeting postcard from a family member!
- You've received a greeting postcard from a friend!
- You've received a postcard from a class-mate!
- You've received a postcard from a colleague!
- You've received a postcard from a family member!
- You've received a postcard from a partner!
- You've received an ecard from a partner!
- You've received an ecard from a worshipper!
The Internet Storm Center has an excellent analysis.
Here's a sample 'index.html' file:
The hex code goes on for awhile:
The file is obfuscated with XORed hexadecimal. The key in this case is '227' (it changes with each copy, for a simple form of polymorphism). This perl snippet will decode the XORed hex:
perl -e 'while(<>){
s/\\x([a-f0-9]{2})/chr(227)^pack(C,hex($1))/eg;print;}'
If you are analyzing your own code, change the '227' in the perl code to match the key in the index.html file.
The de-obfuscated code looks like this:
Among other nastiness, it retrieves the file http://XX.252.250.104/file.php, which is really a Windows executable that BitDefender identifies as: "Generic.Malware.dld!!.2526793B"