SOUTHFIELD – Warnings went out this week from CA, the former Computer Associates, to Watch out for unsolicited Valentine’s Day eCard because they may actually deliver a payload of malware that contains the high destructive trojan called Win32/Hanlo.I.

CA said it received widespread reports of an e-mail spamming campaign that attempts to lure users to a malicious site by masquerading as a Valentine’s Day e-card. If a user clicks on the link to receive their ‘card’, they are transferred to a site that informs them that they need to download a flashplayer. This flashplayer (using the filename flashplayer.cab) is actually a package that contains a trojan called Win32/Hanlo.I.

The file flashplayer.cab contains the file install.exe (this file is detected as Win32/MicroJoiner.I by CA Antivirus solutions). When executed, this file creates and runs the main Win32/Hanlo.I trojan executable. Hanlo.I then creates a driver that hides the trojan’s presence on an affected machine.

The trojan executes at subsequent system startups by registering itself as a service named ‘AVSearch service’. However, as the device driver component of the trojan is used to hide the main executable, this will not be visible to affected users.

In order to continue the farce and mask its installation, the trojan also opens a web page that appears to be a Valentine’s Day e-card. This is a fake site designed to mimic the real ‘original cards’ site. At the time of writing, the owners of the real site, http://www.original-cards.com/ had issued a warning regarding this trojan to all people redirected from the fake site.

As a payload, the trojan downloads and executes arbitrary files on the affected machine leaving the user vulnerable to further system compromise.

?This is an example of a classic social-engineering attack harkening back to the days of Love Bug (VBS.Loveletter),” said Heather Goudey, CA Senior Research Engineer, Security Advisor. “We appear to have come full circle to some extent as these types of ruses used to be quite commonly distributed to convince people to run malicious executables, mainly by mass-mailing worms.

“With the decline of the mass-mailing worm, and as users became suspicious of these types of messages, they were no longer as successful,” she said. “It now appears that the attackers assume that users have forgotten their suspicion ? it remains to be seen just how successful this tactic will be. The difference between then and now, is that we are seeing more controlled attacks, using techniques from mass-mailing worms. And thanks to the prevalence of systems compromised by spam-bots, it’s no longer necessary to create your own worm – malware is now being distributed in the same way as spam.?

Additional information can be found on CA?s Security Advisor site atCA.Com/Securityadvisor