Beware of Those Greeting Card E-mails - a New Version of the Ecard.exe Virus

The following is a true account of my recent experience with a variant of the Ecard.exe virus. This is a nasty little bugger that has been going around for months, and I had two computers at work that were infected. To make matters worse, I couldn't find a single Antivirus or anti-spyware program that could immediately identify the problem.

Most of the viruses that infect a user's machine were put there by that user, unbeknownst to them. This particular one took advantage of their curiosity by making them think someone had sent them a greeting card, and when they followed the links to read this supposed card, it turned their PC into a zombie. By zombie, I don't mean the computer started stumbling across their desk like Lindsay Lohan in a bar parking lot, but rather it began using the machine to send out spam mail.

Spammers have used variations of these type programs in the past, and what they do is turn your computer into a host that sends out spam messages for them. On the two machines I found infected, it was sending messages out at a rate of several per second, and the computers were barely able to do anything else.

We first realized there was a problem when the computer's screen began to literally fill up with outgoing message scan notification windows. Symantec Antivirus is set to scan every message sent by the PC, and this virus was sending so many at once that the scanner couldn't keep up.

This type of virus has been around for quite some time, and since it's inception it has taken on many different forms. The one that I found was, at the time, undetectable by every virus and spyware scanner I ran on the machine.

It's quite disheartening when you run full scans using Symantec Antivirus, Trend Micro's online scan, Spybot, and Ad-Aware, and they all tell you that the system is clean while my screen is still flooded with outgoing spam messages. All I could do was unplug the network cable and wait until somebody figured out how to fix the problem.

I did some research into forms of this Ecard.exe virus, and none of the solutions worked. In fact, the only trace I found of the virus was a mention of Ecard.exe in the \Windows\Prefetch directory. There was nothing about it anywhere in the system registry. I even searched through all the folders on the hard drive looking for any changes that recently occurred, but this virus left virtually no trace of itself. I knew that it had somehow disguised itself as a system file, making it nearly impossible to find manually.

With the help of a free program from Microsoft called TCPView, I was able to determine that the virus had attached itself to Services.exe, which is a Windows system file. With TCPView running, I would log the PC onto the Internet and then wait a couple of minutes before Services.exe would suddenly take over all the CPU cycles. A few second later, Symantec's outgoing message scanning pop-ups would go crazy. They would not stop until I unplugged the network cable.

The only way I was able to fix the problem on one machine was to run a System Restore to two weeks prior, and then the messages went away. However, the other PC had had nothing new installed on it in months, so it wouldn't let me perform a system restore. I found that very interesting that this virus was able to install itself so deeply into the system that the computer itself didn't register a change. System Restore is supposed to pick up anything like that so you can restore from a point before the most recent change.

A week later, Symantec Antivirus finally detected the virus as Trojan.Peacomm.B, which according to their site was first discovered months ago. I honestly don't know if that was the actual virus, of if it was behaving so similarly that my Antivirus software just made the association. From what I've read about Trojan.Peacomm.B and compared it to what I experienced on these two machines, the results were close but not exactly the same.

Whoever made this new virus is as devious as they are intelligent, and it's a shame that they are using their programming skills to take over people's computers for the purposes of sending spam. The big problem here is that the people who are writing these viruses have the same virus scanning software as everyone else, so they write viruses to circumvent the current scanners. That's why most antivirus software needs to updated daily. This particular strand of virus I encountered had not yet been diagnosed by any of the major players in the antivirus/spyware detection field, and that's a bit scary. In my 8+ years of working on computers, I've never before encountered a previously unidentified computer virus.

What made this occurrence special is that this was a case where even having the most current antivirus software wasn't enough to prevent infection, and it goes to show that virus prevention begins with the user. These two machines were infected by the Ecard.exe virus because the people using them couldn't resist knowing which one of their 'friends' or 'family' had sent them a greeting card. Even after clicking on the link within the email and again clicking the link on the website they were redirected to, they just couldn't pass it up.

The next time you get an email telling you that someone has sent you a greeting card of some kind, you should follow these rules:

1. If there is no specific name telling you who it is from, then delete it.
2. If it points you to a website like that is just a bunch of numbers (like http://xxx.xxx.xxx.xxx) instead of an actual website name (like http://www....com), then delete it.
3. If you have even the slightest doubt about who sent it, then delete it.

The risk of allowing this virus to be installed on your machine isn't worth the possibility of missing out on some cutesy animated greeting card.

Since encountering this virus, I've had countless spam emails telling me about greeting cards and trying to get me to click on the links within the message. Every single one of these are trying to get me to install this virus on my computer. I know better, and after reading this I hope you do, too.