Dangerous new fake American Greetings spam

However, the cab file that downloads is actually malicious and installs a variant of small.lu (aka ntos or Monster Trojan). This is a very nasty data-stealing trojan. In fact, it’s an even more dangerous variant of Small.lu as it is using a rootkit to hide.

Ecard213912388

The American Greetings page is convincing, and the Active/X install is signed.

Greetings21381283128388

Greetings21381283128388a

Greetings21381283128388b

Greetings21381283128388c

Very poor detection (4 out of 32 scanners) of the cab file itself (VT result here), and poor detection (5 out of 32 scanners) of the actual binary, “update.exe” (VT result here). (We will have detection in CounterSpy for this Trojan in short order.)