Postcard Trojan

Question

I keep getting an e-mail that says that someone has sent me a postcard, but when I click on the link, instead of taking me to a website, it asks me to Open or Save a file (postcard.gif.exe). Is this safe?

-Jamie

Answer

This question was answered on March 16, 2006. Much of the information contained herein may have changed since posting.

The popularity of “virtual” greeting cards from companies like BlueMountain.com has encouraged malicious programmers to use e-mail messages that mimic this process in order to scam unsuspecting users.

Any programmer knows that the weakest link in any security system is the user, so exploiting unsuspecting users is considered “low-hanging fruit”.

The practice of using “social engineering” to trick users into trusting a message has proven to be one of the most effective ways of gaining unauthorized access to Internet based computers By exploiting people’s trust instead of exploiting security systems, it is easy to bypass or compromise security software.

Since so many users have been warned not to open file attachments, hackers are using different means to get users to open dangerous files In this case, the message makes it seem that someone that cares about you has sent you a virtual postcard and that you need to click on the word “here” to see the rest of the message.

If you click on the link, it actually tries to open the file ‘postcard.gif.exe’ from a remote server (generally in Romania) but Windows is stopping the process and asking you what you want to do (Open or Save).

This additional level of security that was introduced with the now famous Windows XP Service Packs kept your system from automatically running this malicious backdoor Trojan which would have allowed remote access to your computer.

If you did click on Open, you have most likely been infected with a RAT (Remote Access Trojan) that allows a remote user to access your system at will.

Not only can they access your system, they can drop any number of additional programs, including a keylogger to track everything that you type.

If you use your computer to access any kind of online financial institution, I would highly recommend that you get in touch with them (but not from the infected computer!) and have your username and/or password changed as well as watch for any fraudulent activity.

This particular Trojan was discovered in May of 2005 but has recently resurfaced in the form of this postcard e-mail that you have been getting.

One of the quickest tip offs of a malicious program is when it uses a double extension (postcard.GIF.EXE).

By default, Windows hides the extension of known file types, so the hackers were hoping that you would be tricked into thinking that the file was a graphics file (.GIF) when it in fact was an executable program file.

If you want to make sure that Windows always displays the full file name and all extensions, you can open My Computer, click on the Tools menu then on Folder Options…and then on the View tab.

Look for the option “Hide extensions fro known file types” and remove the checkmark in front of it and then click on OK.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on March 16, 2006