Content
W32/Zhelatin.gen!eml
- Type
- Virus
- SubType
- Generic
- Discovery Date
- 07/04/2007
- Length
- varies
- Minimum DAT
- 5067 (07/04/2007)
- Updated DAT
- 5172 (11/27/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 07/04/2007
- Description Modified
- 08/22/2007 11:18 AM (PT)
Tab Navigation
Characteristics
Update August 22, 2007
This threat is updated on a daily basis. For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download. This is the first part in a three-stage infection of W32/Nuwar@MM. The Java Script used in the second stage of infection is detected as JS/Downloader-BCZ.
A user receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard. On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
A copy of the spammed message is as follows:
Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected. The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.
The following list of subject lines have been observed in the wild:
You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partner!
You’ve received a greeting card from a school friend!
You’ve received a greeting card from a school mate!
You’ve received a greeting card from a school-mate!
You’ve received a greeting card from a worshipper!
You’ve received a greeting ecard from a admirer!
You’ve received a greeting ecard from a class mate!
You’ve received a greeting ecard from a class-mate!
You’ve received a greeting ecard from a colleague!
You’ve received a greeting ecard from a family member!
You’ve received a greeting ecard from a friend!
You’ve received a greeting ecard from a mate!
You’ve received a greeting ecard from a neighbor!
You’ve received a greeting ecard from a neighbour!
You’ve received a greeting ecard from a partner!
You’ve received a greeting ecard from a school friend!
You’ve received a greeting ecard from a school mate!
You’ve received a greeting ecard from a school-mate!
You’ve received a greeting ecard from a worshipper!
You’ve received a greeting postcard from a admirer!
You’ve received a greeting postcard from a class mate!
You’ve received a greeting postcard from a class-mate!
You’ve received a greeting postcard from a colleague!
You’ve received a greeting postcard from a family member!
You’ve received a greeting postcard from a friend!
You’ve received a greeting postcard from a mate!
You’ve received a greeting postcard from a neighbor!
You’ve received a greeting postcard from a neighbour!
You’ve received a greeting postcard from a partner!
You’ve received a greeting postcard from a school friend!
You’ve received a greeting postcard from a school mate!
You’ve received a greeting postcard from a school-mate!
You’ve received a greeting postcard from a worshipper!
You’ve received a postcard from a admirer!
You’ve received a postcard from a class mate!
You’ve received a postcard from a class-mate!
You’ve received a postcard from a colleague!
You’ve received a postcard from a family member!
You’ve received a postcard from a friend!
You’ve received a postcard from a mate!
You’ve received a postcard from a neighbor!
You’ve received a postcard from a neighbour!
You’ve received a postcard from a partner!
You’ve received a postcard from a school friend!
You’ve received a postcard from a school mate!
You’ve received a postcard from a school-mate!
You’ve received a postcard from a worshipper!
You’ve received an ecard from a admirer!
You’ve received an ecard from a class mate!
You’ve received an ecard from a class-mate!
You’ve received an ecard from a colleague!
You’ve received an ecard from a family member!
You’ve received an ecard from a friend!
You’ve received an ecard from a mate!
You’ve received an ecard from a neighbor!
You’ve received an ecard from a neighbour!
You’ve received an ecard from a partner!
You’ve received an ecard from a school friend!
You’ve received an ecard from a school mate!
You’ve received an ecard from a school-mate!
You’ve received an ecard from a worshipper!
Customers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
This is a generic detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download. On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed. The script which is used for the drive-by download is detected as JS/Downloader-BCZ.
Characteristics
Characteristics -
Update August 22, 2007
This threat is updated on a daily basis. For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download. This is the first part in a three-stage infection of W32/Nuwar@MM. The Java Script used in the second stage of infection is detected as JS/Downloader-BCZ.
A user receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard. On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
A copy of the spammed message is as follows:
Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Symptoms -
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected. The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.
The following list of subject lines have been observed in the wild:
You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partner!
You’ve received a greeting card from a school friend!
You’ve received a greeting card from a school mate!
You’ve received a greeting card from a school-mate!
You’ve received a greeting card from a worshipper!
You’ve received a greeting ecard from a admirer!
You’ve received a greeting ecard from a class mate!
You’ve received a greeting ecard from a class-mate!
You’ve received a greeting ecard from a colleague!
You’ve received a greeting ecard from a family member!
You’ve received a greeting ecard from a friend!
You’ve received a greeting ecard from a mate!
You’ve received a greeting ecard from a neighbor!
You’ve received a greeting ecard from a neighbour!
You’ve received a greeting ecard from a partner!
You’ve received a greeting ecard from a school friend!
You’ve received a greeting ecard from a school mate!
You’ve received a greeting ecard from a school-mate!
You’ve received a greeting ecard from a worshipper!
You’ve received a greeting postcard from a admirer!
You’ve received a greeting postcard from a class mate!
You’ve received a greeting postcard from a class-mate!
You’ve received a greeting postcard from a colleague!
You’ve received a greeting postcard from a family member!
You’ve received a greeting postcard from a friend!
You’ve received a greeting postcard from a mate!
You’ve received a greeting postcard from a neighbor!
You’ve received a greeting postcard from a neighbour!
You’ve received a greeting postcard from a partner!
You’ve received a greeting postcard from a school friend!
You’ve received a greeting postcard from a school mate!
You’ve received a greeting postcard from a school-mate!
You’ve received a greeting postcard from a worshipper!
You’ve received a postcard from a admirer!
You’ve received a postcard from a class mate!
You’ve received a postcard from a class-mate!
You’ve received a postcard from a colleague!
You’ve received a postcard from a family member!
You’ve received a postcard from a friend!
You’ve received a postcard from a mate!
You’ve received a postcard from a neighbor!
You’ve received a postcard from a neighbour!
You’ve received a postcard from a partner!
You’ve received a postcard from a school friend!
You’ve received a postcard from a school mate!
You’ve received a postcard from a school-mate!
You’ve received a postcard from a worshipper!
You’ve received an ecard from a admirer!
You’ve received an ecard from a class mate!
You’ve received an ecard from a class-mate!
You’ve received an ecard from a colleague!
You’ve received an ecard from a family member!
You’ve received an ecard from a friend!
You’ve received an ecard from a mate!
You’ve received an ecard from a neighbor!
You’ve received an ecard from a neighbour!
You’ve received an ecard from a partner!
You’ve received an ecard from a school friend!
You’ve received an ecard from a school mate!
You’ve received an ecard from a school-mate!
You’ve received an ecard from a worshipper!
Customers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
Method of Infection -
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
