The worm that’s not a worm

I got mail at work today. The subject:
David you have an e-card from Alex.

Well, about the only person I know who calls me David is my mom. And I don’t know anybody named Alex. And why would a guy be sending me an e-card? Not wanting to explore that possibility any further, I disregarded it.

Then I remembered reading about something like that somewhere, so I went back and looked at it.

Short story: A really sleazy e-card company is sending out e-mail containing nothing but an URL at friendgreetings.com, which sends down ActiveX controls and installs some spyware that, among other things, sends bogus cards to everyone in your Outlook address book. That’s where I got that e-card message from. I was in this guy’s address book, for whatever reason. (Turns out he’s the webmaster at work. Funny how the webmaster and the hostmaster can go for long periods of time and never meet, eh?)

Officially, this isn’t a virus or a worm because it’s a company doing this crap, rather than a bored loser who lives in his parents’ basement and you have to click on an EULA (which most people do blindly anyway) for it to activate. I fail to see the difference, but I guess I’m weird that way.

I originally wrote that the anti-virus makers didn’t consider this a worm, but Symantec seems to have relented. You can get a removal tool at Symantec’s site.

If you want to protect yourself pre-emptively, locate your hosts file (in C:\winnt\system32\drivers\etc on NT/2000/XP; I’m wanting to say it’s in C:\Windows\System on Win9x; on most Unix systems it’s in /etc, not that it matters since this not-a-worm runs on Windows) and add the following entry:

127.0.0.1 www.friendgreetings.com

More cleanly, you can ask your network admins really nicely if they can block friendgreetings.com at the firewall or DNS level.

If you have inadvertently unleashed this monster, first, close Outlook immediately. Normally, I’d advise getting right with everyone else before cleaning things up, but since there’s the risk of making things worse if you do it that way, clean house, then start apologizing.

Next, download the removal tool.

If you want to be really safe, go into the control panel and remove anything that appears to have anything to do with friendgreetings.com. Next, I’d go to www.cognitronix.com and download Active Xcavator and remove anything having to do with friendgreetings.com. Next, I’d head over to LavaSoft and download Ad-Aware and let it shoot anything that moves.

Next, apologize profusely to the guy who runs your mail server (ours got clogged up for hours processing all the mail from not-our-friendgreetings.com) and to everyone in your address book. I can’t offer you any advice on the best way to do that. Except I’d use something other than Outlook to do it. Head over to TinyApps.org to find yourself a small freeware mail client. Assuming you’re not on an Exchange server, I’d suggest pulling the network plug before firing up Outlook again to get those e-mail addresses.

Meanwhile, it would do no good whatsoever if everyone who’s gotten one of these annoying e-cards (whether they opened it or not) opened a command prompt and typed ping -t www.friendgreetings.com and left it running indefinitely. No good whatsoever. It’s still a distributed denial of service attack if all of the participants participate voluntarily and independently. Right?

If you found this post informative or helpful, please share it!

2 thoughts on “The worm that’s not a worm

  • October 30, 2002 at 8:23 pm
    Permalink

    Editing the hosts file is such an easy way to deny ad-servers and the like I wonder why it’s not recommended more often. I created a shortcut

    C:\windows\NOTEPAD.EXE C:\windows\hosts

    which makes it even easier to do.

Comments are closed.