It’s the most wonderful time of the year for most, including spammers who have started churning out Christmas-themed eCards in light of the approaching holidays.

Spammers would like recipients to believe that these eCards come from a legitimate sender; the From line, which is spoofed, is displaying the name of a reputable company. Interestingly, the mail body bears the phrase “no worm, no virus” to falsely allay users’ fears of infection. But of course, since spammers are not exactly purveyors of truth, users do get infected.

Clicking on the link http://{BLOCKED}tery.us/?id=ecard within the message body redirects users to the site http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/index.php? that has an obfuscated script detected by Trend Micro as JS_AGENT.AEGJ, which further leads to the downloading of TROJ_DLOADER.XAP. The said script is also hosted on the following sites:

• http://{BLOCKED}n.unixbsd.info/~nuevocom/ItYatOk/
• http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/YM.exe
• http://64.27.{BLOCKED}.137/~nuevocom/ItYatOk/uslotttery.exe

The last two sites download files that are detected as WORM_SOHANAD.EU and WORM_VB.FQO, respectively.

Christmas Day is some days away and in the interim, we can expect a glut of eCards of this nature. Remember that no matter how enticing, fancy eCards may not be out to spread good cheer but malware.