Electronic Greeting Cards Dangerous?
Lately every time I open my email, I have an electronic greeting card
message in it. It used to be fun to open one of these messages and find
a funny greeting from a good friend or relative, however now each ecard
generally carries a dangerous payload of viruses, spyware, malware, and
more. Sort of an electronic mixed cocktail of evil programs designed to
do your computer harm. Don't get me wrong, you may still receive "good"
e-cards from time to time, but these mass mailed greetings in the
last couple months are something you don't want to open.
The latest cards want you to click on a link and download a free copy
of "Microsoft Data Access" so you can read the card. The popup message
accompanying the install even says the file is from Microsoft
Corporation. Don't believe this for a second, the file msdataaccess.exe
is a dangerous file, please do not open it.
However, I was bored the other day...So I took a freshly formatted
Windows XP laptop and installed this file. I didnt get to view the
greeting card message, instead my computer became a spam sending drone
connected to a network of evil.
do these e-cards look like?
A sample of a recently received electronic greeting card is shown below.
16 Aug 2007 00:35:36 -0400
has sent you Love ecard from marlo.com.
your card's direct www address below:
(c) 1991-2007 marlo.com All Rights Reserved
Some of the subject lines used by these cards are:
Thank you postcard
clicking on the URL in the body of the message, a screen appears asking
you to download "Microsoft Data Access" to view the message.
You'll notice the popup asking you to install the program even mentions it's from "Microsoft Corporation".
Then the msdataccess.exe file infects the computer and causes a chain
disabling security programs like antivirus and firewalls, joining a
peer-to-peer botnet to receive more commands and dangerous software
from a wide range IP addresses, corrupting a file called TCPIP.SYS, and
changing your DNS settings on your local area network or dialup
connection. Once your computer is infected, its difficult to remove.
MSDATAACCESS.EXE with a Virus Scanner
Before I installed this dangerous file, I used Jotti's Malware Scanner
to check the file. Jotti's scan checks the file with a variety of
scanning engines to see if its dangerous. Many times, one scanner wont
report a problem while another one will. Here are the results after
Jotti Scan Results
Scan taken on 16
Aug 2007 17:54:11 (GMT)
Possibly a new variant of W32/Fathom.1-based!Maximus
After installing the file, my computer immediately starting opening connections and sending spam
to a variety of addresses. I used a program called TCPView
to show this
flood of email.
After seeing my computer spewing spam in all directions, I
immediately disconnected from my network and began the cleanup of this
lovely greeting card. I rebooted the computer once before beginning the
removal and was presented with a Windows Blue Screen when shutting down
the Best Way to Remove these NuWar-type infections from My Computer?
no files are added to startup, or as a browser hijack object (BHO),
normal tools like Hijackthis
and others simply don't find this problem. This particular attack using
msdataaccess.exe installs the following files:
is installed in the Windows directory
is installed in the Windows\System32 on Windows XP
in the Windows\System32\Drivers directory is infected
is installed in the Windows\System32\Drivers directory (not normally a
computer then proceeds to change your DNS Settings and starts sending
email. It also hides the files it installed from view when running Windows so they are hard to detect.
may want to download before attempting this removal procedure.
- CCleaner - Free
tool for removing temporary files, cookies, history, and cleaning up
Procedure for Nuwar/Zhelatin/Tibs Greeting Card Infection
CCleaner to your desktop
and install it, so you can use it later. Then unplug your computer from
your internet connection before continuing. If you are uncomfortable
with any of the procedures shown below, please do not continue with
this removal. Take your computer to a repair facility or have a trusted
friend follow these procedures instead. In all cases, please be careful with deleting windows files, since this could cause your computer to become inoperable.
into the Recovery Console
need to use the Windows XP Recovery Console to help with this removal
procedure. This will either require you to boot from a Windows
XP Installation CD or boot directly to the Recovery Console if its
installed. Follow these steps to boot into the Recovery Console from a
Windows XP Installation CD.
1) Place your Windows
XP in the CD-ROM Drive
2) Restart your computer
and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar.
"press any key to boot from cd..."
4) Wait until you see the "Welcome to Setup" screen, and press R to
start the Recovery Console
5) Choose which Windows
installation you wish to load (this is usually #1 unless you have a
6) Type the administrator password and
7) You should now be at the C:\Windows> prompt
the Infected Files
the Windows prompt type the following and press Enter after each line
del c:\windows\system32\drivers\tmcomm.sys (may not be found in all cases)
and press Enter to reboot into Windows.
a new copy of TCPIP.SYS
Windows restarts, follow these steps to expand a new copy of tcpip.sys
to your hard drive.
off System Restore to Remove Saved Copies of Virus
on Start, Run
CMD and Press Enter
sure your Windows XP CD-ROM is in the drive and type the following to
extract a new copy of TCPIP.SYS to the hard drive. Substitute the
appropriate drive letter for your CD-ROM drive, in this case Drive D.
EXPAND D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS
- Type Exit
to Close the Command Prompt
turn off Windows XP System Restore:
NOTE: These instructions assume that you are
using the default Windows XP Start Menu and have not changed to the
Classic Start menu. To re-enable the default menu, right-click Start,
click Properties, click Start menu (not Classic) and then click OK.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all
drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore
points will be deleted. Click Yes to do this.
7. Click Apply at the bottom of the screen.
8. Now uncheck "Turn off System Restore" or "Turn off System
Restore on all drives." to re-enable it and clear any viruses that were
backed up by System Restore.
9. Click Apply, and then Click OK.
on your desktop and remove any temporary files and registry problems it
11. Restart your computer
12. Re-enable your network connection
Your Computer For Viruses
may use any of the
following online virus scanners to be sure your computer is now clean
of problems. After cleaning my test machine, I ran Trend Micro
Housecall, Kaspersky Virusscanner, and Ewido (Now AVG) Online Scan and
my system was clean. I infected the machine using three different
emails, however the above procedure worked in my case each time.
Micro Housecall - will scan and remove threats
BitDefender Scan Online - will
scan and remove threats
Online Scanner - will scan and remove threats
Online Malware Scan
Online Scanner - appears to only
scan for but not remove threats
Panda Activescan - appears to only
scan for but not remove threats
McAfee FreeScan - appears to only
scan for but not remove threats
eTrust Antivirus Web Scanner -
will scan and remove threats
Symantec Security Check - will
scan and remove threats
Dr.Web Online Check
- user can upload and
test for threats on particular files
Your computer should be free of this
msdataaccess.exe infected greeting card. Although not all email
greeting cards are bad, if it looks suspicious it probably is. Please
be careful whenever a e-card asks you to download viewer or install
programs you are not sure of.
Printer Friendly Version of This Page
Bookmark and Share this Article on PCHELL with these Social Networks:
Removal Instructions for Other Programs
Spyware Removal and Other Resources
Essential Tools for Removing Spyware, Adware, and Malware
Rootkit Removal Tools and Help
How to Delete Undeleteable Files
Review of Free Registry Cleaner
How to Manually Run the Microsoft Malicious Software Removal Tool
Review of WinsockFix
How to Remove Windows Diagnostic or Windows Restore malware
Review of SuperAntiSpyware
How to Remove SurferBar
How to Remove Starware
Bargain Buddy Removal Instructions and Help
Bonzi Buddy Removal
Click2FindNow and I-Lookup Removal
Comet Cursor Removal
Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help
Date Manager Removal
Powered by Zedo Popup Ad Removal Instructions and Help
Search and Destroy Removal Instructions and Help
Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help
TheSpyBot Removal Instructions and Help
Spam Blocker Utility Removal Instructions and Help
DriveCleaner Removal Instructions and Help
Alfacleaner Removal Instructions and Help
Spylocked Removal Instructions and Help
AntivirusGolden Removal Instructions and Help
VirusProtectPro Removal Instructions and Help
UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help
VirusRescue Removal Instructions and Help
PestCapture Removal Instructions and Help
SystemDoctor 2006 Removal Instructions and Help
How to Fix Task Manager disabled by your Administrator
How to Fix Problem Changing Desktop Wallpaper
How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture
SurfSideKick Removal Instructions and Help
How to Remove Zango Search Assistant and Toolbar
How to Remove Alot Toolbar
About:Blank Homepage Hijacker Removal Instructions and Help
Kazaa Removal Instructions and Help
How to Disable Windows XP Security Alert Balloons and Notifications
res://random.dll Homepage Hijacker Removal Instructions and Help
IBIS Web Search (websearch.com) Removal Instructions and Help
Open Search Web (Lop.com) Removal Instructions and Help
UPDMGR.EXE Removal Instructions and Help
FCADVICE.EXE Removal Instructions and Help
U3 Smart Drives - What are they and how to remove U3
Dubolom.com Homepage Hijacker Removal Instructions and Help
DSO Exploit Removal Instructions and Help
FastSearch.cc Homepage Hijacker Removal Instructions and Help
My Web Search Removal Instructions and Help
Cursor Mania Removal Instructions and Help
Fun Buddy Icons Removal Instructions and Help
Smiley Central Removal Instructions and Help
My Mail Stamps Removal Instructions and Help
My Mail Stationery Removal Instructions and Help
My Mail Signatures Removal Instructions and Help
Fun Web Products Popular Screensavers Removal Instructions and Help
Webfetti Removal Instructions and Help
What is PDF Spam and Does it Contain Viruses
Gator Software Removal
Hugesearch.net Homepage Hijacker Removal Instructions and Help
Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help
How to Remove Global-Finder.com Homepage Hijacker
GoHip Software Removal
HotBar Toolbar Removal
Huntbar and Search Toolbar Info and Removal
Look2Me Removal Instructions and Help
Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help
MaximumSearch.net Homepage Hijacker Removal Instructions and Help
Ncase Removal Instructions and Help
People OnPage Toolbar Info and Removal
Precision Time Removal
SaveNow and NewDotNet Removal
SearchMyRequest.com Homepage Hijacker Removal Instructions and Help
Smartsearch.ws Homepage Hijacker Removal Instructions and Help
SysUpd.exe (TSCash) Removal Instructions and Help
Ezula TopText (yellow underlined links) Removal Instructions and Help
How to Remove SpeedBlaster and MemoryMeter
TopRebates and WebRebates Removal Instructions and Help
Twaintec.dll Removal Instructions and Help
Viewpoint Removal Instructions and Help
WildTangent Removal Instructions and Help
WinTools Removal Instructions and Help
ZY Web Search (db105.com) Removal