Postcard
Postcard
Type Mass-mailer worm
Creator Lord Yup
Date Discovered 08-MAR-2001
Place of Origin Poland
Source Language Visual Basic, HTML
Platform MS Windows
File Type(s) .vbs
Infection Length 12,907 bytes

Postcard is a polymorphic virus by Lord Yup. It is written in Visual Basic Script and can come as either a script or an HTML page. Though not intentionally destructive, it lowers certain already low security settings opening the system up to further attacks, though in doing so, it exposed a vulnerability in Internet Explorer.

Behavior

Message

Postcard may arrive on a system in an email with one of the following subject lines:

  • Happy new Millenium (read the postcard (attached file))
  • Postcard for you is waiting (in attachment)
  • Happy 2001 (for more action check attached file)
  • Stroke of luck? in 2001? (happy 2001 -read attachment)
  • Goodies
  • You have got a postcard (attached file)
  • Someone sent you a postcard (in attachment)

The message body is in HTML format, and includes the following text:

HaPPy NeW Millenium
Happy new year
Best wishes from:
your dear ...

Infection

When executed, it enables the Internet Explorer Security setting "Initialize and script ActiveX controls not marked as safe". This allows anyone to run scripts contained in HTML pages that are stored on a local computer without any permission prompts, just like separately stored scripts. This option is not visible in the Security tab of Internet Options.

PostcardIcon.png
Postcard icon

If Postcard was executed from an infected HTML file and Internet Explorer's security is configured correctly, the browser warns that certain code on the page may be insecure, with a recommendation not to execute it. If the user follows that recommendation, the virus displays the message "To see a postcard you must apply the ActiveX format". It then returns control to Internet Explorer, which displays the warning message again. This endless loop continues until the user allows the code to run. The only clean way to get out of the loop is to press CTRL+ALT+DEL , mark the culprit page, assigned to Internet Explorer, and click " End task ".

  • C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
  • C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
  • C:\WINDOWS\TEMP\millennium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} (used as the Internet Explorer start page)
  • C:\WINDOWS\TEMP\[1 random number].[about 7 random numbers]post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} (used as the email attachment)
PostcardPage.png
The Postcard Webpage

The extension {3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} is the class identifier (CLSID) for MTHML files (MIME Encapsulation of Aggregate HTML Documents). The files are therefore displayed without extension. This was considered a major vulnerability in Internet Explorer.

It then drops the file [db.GT].wsf into the Windows folder and executes it, attaching it to the email it sends itself in and sends it to everyone in the Microsoft Outlook address book.

Postcard then changes the value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner to Lord YuP - [C]apsule [C]orp and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization to DragonBall GT. It then searches the \Windows, \Windows\System, and \Temp folders for files with extensions .html, .htm, .shtml, and .asp, and infects them.

It then spreads over shared network drives by sending itself to the Temp folder as [drivelettrer]:\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}.

Payload

The script then releases and executes the VBScript payl0ad.vbe in the Windows folder. If the day of the week is Monday , it is 4:32, 4:37, or 4:38 (AM or PM) or Tuesday, 2:40 to 2:45 PM, or 4:40 to 4:45 AM , payl0ad.vbe is executed. This will open WordPad and automatically enter the following text:

DB FaMiLy sTrIkEz oNe MoRe Time wiTh:
DB.GT  today we infected you but tommorow we will infect rest of the ANIME WORLD.
YuP [C]apsule[C]orp

Some infected files will display a "Happy New Millenium" message with a fireworks clip-art image. The image is from "Microsoft Clip Gallery 5.0" and may not appear if the user doesn't have this gallery in the proper location. It will also disable the keyboard and mouse.

Origin

Postcard was written in Visual Basic by Lord Yup in Poland. It does not appear to have been featured in any zine, though Lord Yup had been working with 29A around this time.

Sources

Serghei Sevcenco. Symantec Security Response, VBS.Postcard@mm. 15-APR-2002

VSantivirus, Virus: VBS.Postcard@mm. Gusano, caballo de Troya, polimórfico. 13-Mar-2001

CVE, CVE-2001-0643. 01-SEP-2004

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License