Postcard | |
---|---|
Type | Mass-mailer worm |
Creator | Lord Yup |
Date Discovered | 08-MAR-2001 |
Place of Origin | Poland |
Source Language | Visual Basic, HTML |
Platform | MS Windows |
File Type(s) | .vbs |
Infection Length | 12,907 bytes |
Postcard is a polymorphic virus by Lord Yup. It is written in Visual Basic Script and can come as either a script or an HTML page. Though not intentionally destructive, it lowers certain already low security settings opening the system up to further attacks, though in doing so, it exposed a vulnerability in Internet Explorer.
Behavior
Message
Postcard may arrive on a system in an email with one of the following subject lines:
- Happy new Millenium (read the postcard (attached file))
- Postcard for you is waiting (in attachment)
- Happy 2001 (for more action check attached file)
- Stroke of luck? in 2001? (happy 2001 -read attachment)
- Goodies
- You have got a postcard (attached file)
- Someone sent you a postcard (in attachment)
The message body is in HTML format, and includes the following text:
HaPPy NeW Millenium
Happy new year
Best wishes from:
your dear ...
Infection
When executed, it enables the Internet Explorer Security setting "Initialize and script ActiveX controls not marked as safe". This allows anyone to run scripts contained in HTML pages that are stored on a local computer without any permission prompts, just like separately stored scripts. This option is not visible in the Security tab of Internet Options.
Postcard icon |
If Postcard was executed from an infected HTML file and Internet Explorer's security is configured correctly, the browser warns that certain code on the page may be insecure, with a recommendation not to execute it. If the user follows that recommendation, the virus displays the message "To see a postcard you must apply the ActiveX format". It then returns control to Internet Explorer, which displays the warning message again. This endless loop continues until the user allows the code to run. The only clean way to get out of the loop is to press CTRL+ALT+DEL , mark the culprit page, assigned to Internet Explorer, and click " End task ".
- C:\WINDOWS\2001.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
- C:\WINDOWS\SYSTEM\dragonball.GT(dan kokoro hikareteku).{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}
- C:\WINDOWS\TEMP\millennium.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} (used as the Internet Explorer start page)
- C:\WINDOWS\TEMP\[1 random number].[about 7 random numbers]post-card.tif.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} (used as the email attachment)
The Postcard Webpage |
The extension {3050F3D9-98B5-11CF-BB82-00AA00BDCE0B} is the class identifier (CLSID) for MTHML files (MIME Encapsulation of Aggregate HTML Documents). The files are therefore displayed without extension. This was considered a major vulnerability in Internet Explorer.
It then drops the file [db.GT].wsf into the Windows folder and executes it, attaching it to the email it sends itself in and sends it to everyone in the Microsoft Outlook address book.
Postcard then changes the value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner to Lord YuP - [C]apsule [C]orp and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization to DragonBall GT. It then searches the \Windows, \Windows\System, and \Temp folders for files with extensions .html, .htm, .shtml, and .asp, and infects them.
It then spreads over shared network drives by sending itself to the Temp folder as [drivelettrer]:\docs.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}.
Payload
The script then releases and executes the VBScript payl0ad.vbe in the Windows folder. If the day of the week is Monday , it is 4:32, 4:37, or 4:38 (AM or PM) or Tuesday, 2:40 to 2:45 PM, or 4:40 to 4:45 AM , payl0ad.vbe is executed. This will open WordPad and automatically enter the following text:
DB FaMiLy sTrIkEz oNe MoRe Time wiTh:
DB.GT today we infected you but tommorow we will infect rest of the ANIME WORLD.
YuP [C]apsule[C]orp
Some infected files will display a "Happy New Millenium" message with a fireworks clip-art image. The image is from "Microsoft Clip Gallery 5.0" and may not appear if the user doesn't have this gallery in the proper location. It will also disable the keyboard and mouse.
Origin
Postcard was written in Visual Basic by Lord Yup in Poland. It does not appear to have been featured in any zine, though Lord Yup had been working with 29A around this time.
Sources
Serghei Sevcenco. Symantec Security Response, VBS.Postcard@mm. 15-APR-2002
VSantivirus, Virus: VBS.Postcard@mm. Gusano, caballo de Troya, polimórfico. 13-Mar-2001
CVE, CVE-2001-0643. 01-SEP-2004