McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

This threat is considered to be a Low-Profiled risk due the VNUNET article: Cupid stunt sends not-so funny Valentine.

This is an Adware dropping trojan. When run, it installs a Macromedia Flash "card", and three Adware DLL files that are Internet Explorer Browser Helper Objects, designed to display advertisements, track the URLs visited on the system, capture typed search strings, and alter the browser's default start page. These DLL files are not considered to be malicious, but are likely used for marketing purposes. As the main installer executable does not contain any end user license agreement (EULA), it is considered malicious. The following message is believed to have been SPAMED to a number of users.

From: cupid@valentines-ecard.com
Body:

CLICK HERE TO DOWNLOAD YOUR CARD

You have been sent a Valentines card from
Secret admirer. Please click the link below
to view it. You will require flash to view it properly.

• %Program Files%\Valintines Day Card\Valintines Day Card\uninstall.exe (37,250 bytes)
• %Program Files%\Valintines Day Card\Valintines Day Card\valsday.exe (892,673 bytes)
• %Start Menu\Programs%\Valintines Day Card\Uninstall.lnk (579 bytes)
• %Start Menu\Programs%\Valintines Day Card\Valintines Day Card.lnk (606 bytes)
• %SysDir%\HmePge.dll (184,320 bytes)
• %SysDir%\HotLink.dll (389,120 bytes)
• %SysDir%\IEBrw.dll (278,528 bytes)

Symptoms

Presence of the aforementioned files.

Method of Infection

A link to this trojan has been seen in email SPAM messages.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This threat is considered to be a Low-Profiled risk due the VNUNET article: Cupid stunt sends not-so funny Valentine.

This is an Adware dropping trojan. When run, it installs a Macromedia Flash "card", and three Adware DLL files that are Internet Explorer Browser Helper Objects, designed to display advertisements, track the URLs visited on the system, capture typed search strings, and alter the browser's default start page. These DLL files are not considered to be malicious, but are likely used for marketing purposes. As the main installer executable does not contain any end user license agreement (EULA), it is considered malicious. The following message is believed to have been SPAMED to a number of users.

From: cupid@valentines-ecard.com
Body:

CLICK HERE TO DOWNLOAD YOUR CARD

You have been sent a Valentines card from
Secret admirer. Please click the link below
to view it. You will require flash to view it properly.

• %Program Files%\Valintines Day Card\Valintines Day Card\uninstall.exe (37,250 bytes)
• %Program Files%\Valintines Day Card\Valintines Day Card\valsday.exe (892,673 bytes)
• %Start Menu\Programs%\Valintines Day Card\Uninstall.lnk (579 bytes)
• %Start Menu\Programs%\Valintines Day Card\Valintines Day Card.lnk (606 bytes)
• %SysDir%\HmePge.dll (184,320 bytes)
• %SysDir%\HotLink.dll (389,120 bytes)
• %SysDir%\IEBrw.dll (278,528 bytes)

Symptoms

Symptoms -

Presence of the aforementioned files.

Method of Infection

Method of Infection -

A link to this trojan has been seen in email SPAM messages.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A