A day before Thanksgiving, as I was doing my work, I came across a sample (SHA1:b9b52db22d35c50081054d4ece39f520ae3ef9fe) from a customer submission, with the usual "ecard.exe" filename. It has an image icon but with an .EXE extension; a clear sign of malicious intent.

ecard file icon

As I further investigated the sample, it displayed the following greeting:

 

Happy Thanksgiving

Note: the message displayed is from a valid electronic greetings website.

 

Microsoft Security Essentials already detects the malware as Worm:Win32/Rebhip.A. Rebhip is a malware that spreads via removable drives in order to steal sensitive information.

In the past months, we have seen Rebhip using games, such as StarCraft2 and Halo, as part of its social engineering technique. This time, it switched to a special holiday theme: Thanksgiving.

I just realized that my first Thanksgiving greeting this year was from a malware :(

Thanks for the greetings Rebhip... but no thanks! My Thanksgiving tomorrow will be better without you.

Elda Dimakiling, MMPC Dublin