E-Card from Carrefour or McDonald’s in Hallmark and Facebook layout variations


MX Lab, http://www.mxlab.eu, is intercepting e-card from Carrefour and McDonalds  in different layouts.

The Carrefour email, in the Hallmark layout, is send from the spoofed address “Carrefour bank <service@bank.com>”, comes with eht esubject “Hello dear friend!” and has the following body:

The McDonalds email, in the Facebook layout, is send from the spoofed address “McDonald’s <Cards@McDonalds.org>”, somes with the subject “You’ve received A McDonald’s Bank E-Card!” and has the following body:

In boh emails, the URL included leads to the malicious file hxxp://62.233.83.218/card.exe.

The trojan is known as W32/Sality.gen2 (F-Prot), W32/Sality.gen.z (McAfee), Virus:Win32/Sality.AT (Microsoft).

At the time of writing 40 of the 44 AV engines did detect the trojan at Virus Total so the chance that the virus gets intercepted and can not do any harm is quite high.

Virus Total permlink and MD5: bd01d3f4142e8749ff99a6eae5a3bf8b.