Dangerous new fake American Greetings spam

However, the cab file that downloads is actually malicious and installs a variant of small.lu (aka ntos or Monster Trojan). This is a very nasty data-stealing trojan. In fact, it’s an even more dangerous variant of Small.lu as it is using a rootkit to hide.


The American Greetings page is convincing, and the Active/X install is signed.





Very poor detection (4 out of 32 scanners) of the cab file itself (VT result here), and poor detection (5 out of 32 scanners) of the actual binary, “update.exe” (VT result here). (We will have detection in CounterSpy for this Trojan in short order.)