McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

---Update October 28, 2002 ---

The reported contents of one of the spam e-mails that were sent out is:
From: egreetings@yahoo.com
Subject: You have recieved and E Greetings Card [random text]
Body Text: You Have Received an E-Card!!
[The body also has a clickable image which leads to the trojan web page.]

There is no known self-propagation of this trojan. The e-mail seems to have been sent out just like ordinary spam.

---Update October 26, 2002 ---

To clear up some confusion, note that Cytron and Friend Greeting are totally seperate things. There is no EULA presented to the user during the install of Cytron.

---Update October 24, 2002 ---

The risk assessment of this threat was updated to Low-Profiled due to media attention.

A recent (09/30/02) ploy to get users to run this trojan involved sending out fake messages saying that they had received a E-Card, and that they had to go to a specific site to pick it up. When they went to that site, a message said that they had to run an ActiveX control to view the card. If they accepted the ActiveX control, the trojan would be installed on their system. The file is a CAB file containing a POTD.DLL. It installs as a browser helper object, and displays pop-ups while viewing web sites.

Symptoms

Pop-ups on sites that have none. Files mentioned above.

Method of Infection

Accepting the ActiveX control will trojanize the system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

---Update October 28, 2002 ---

The reported contents of one of the spam e-mails that were sent out is:
From: egreetings@yahoo.com
Subject: You have recieved and E Greetings Card [random text]
Body Text: You Have Received an E-Card!!
[The body also has a clickable image which leads to the trojan web page.]

There is no known self-propagation of this trojan. The e-mail seems to have been sent out just like ordinary spam.

---Update October 26, 2002 ---

To clear up some confusion, note that Cytron and Friend Greeting are totally seperate things. There is no EULA presented to the user during the install of Cytron.

---Update October 24, 2002 ---

The risk assessment of this threat was updated to Low-Profiled due to media attention.

A recent (09/30/02) ploy to get users to run this trojan involved sending out fake messages saying that they had received a E-Card, and that they had to go to a specific site to pick it up. When they went to that site, a message said that they had to run an ActiveX control to view the card. If they accepted the ActiveX control, the trojan would be installed on their system. The file is a CAB file containing a POTD.DLL. It installs as a browser helper object, and displays pop-ups while viewing web sites.

Symptoms

Symptoms -

Pop-ups on sites that have none. Files mentioned above.

Method of Infection

Method of Infection -

Accepting the ActiveX control will trojanize the system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A