O/T: christma.exe Flash e-card - OK or a Trojan?

AN O'Nymous · Dec 23, 2005

I received an email from a friend today with a "christma.exe"
executable inside a zip file. Alarm bells started ringing, but seeing
how it was a trusted friend I thought it should be OK.

Anyway, after scanning the file with my Grisoft Free antivirus, I
double clicked on it and it seemed a harmless enough Macromedia Flash
e-card.

I'm now feeling guilty that I may have let loose a Trojan on my system.
I've checked the Task Manager and there don't seem to be any rogue
processes I don't recognise.

Can anyone brave confirm that this is just a harmless e-card?

http://rapidshare.de/files/9683346/Christma.zip.html

Thanks.

GT · Dec 23, 2005

AN O'Nymous said:
I received an email from a friend today with a "christma.exe"
executable inside a zip file. Alarm bells started ringing, but seeing
how it was a trusted friend I thought it should be OK.

Anyway, after scanning the file with my Grisoft Free antivirus, I
double clicked on it and it seemed a harmless enough Macromedia Flash
e-card.

I'm now feeling guilty that I may have let loose a Trojan on my system.
I've checked the Task Manager and there don't seem to be any rogue
processes I don't recognise.

Can anyone brave confirm that this is just a harmless e-card?

No doubt we are supposed to click on the link believing that Mr An O'nymous
is a trusted source!! No thanks! His email address (e-mail address removed)
probably doesn't work either - I'm not going to try.

In 1987 this virus did 'the rounds' and caused a lot of problems...

http://www.newamerica.net/index.cfm?pg=article&DocID=142

Anyone who has clicked on his link should scan your system (make sure your
virus software is up to date). Search google for:
remove "christma.exe" virus
or
"christma.exe" virus

You'll see loads.

AN O'Nymous · Dec 23, 2005

Googling for chrisma.exe was the first thing I did before asking here
for help or to see if others had further knowledge of it.

Your conspiracy theory that I'm here to spread viruses is flawed for
two reasons:
1) The chrisma.exe virus you cite spread in the late 80's. I suppose I
waited 20 odd years to make this post?
2) Why would I post this to the alt.computer.security &
alt.comp.hardware newsgroup with people knowledgeable about computers?
More likely if I wanted to spread a virus I'd post it to some Christian
board or something where people are less likely to be clued up about
PCs and more likely to click on it.

I scanned it with Kasperky's online scanner but it found nothing. I
would be grateful if others can confirm it is OK, perhaps using Linux
for your own safety?

Geez...thanks for the "help" anyway.

GT · Dec 23, 2005

AN O'Nymous said:
Googling for chrisma.exe was the first thing I did before asking here
for help or to see if others had further knowledge of it.

Your conspiracy theory that I'm here to spread viruses is flawed for
two reasons:
1) The chrisma.exe virus you cite spread in the late 80's. I suppose I
waited 20 odd years to make this post?

Not everyone thinks that way - you might have just encountered the virus and
decided to spread it - you might not have known it is 20 years old. Remember
you are using a suspiscios name and an internet-based email address - very
suspect!!

2) Why would I post this to the alt.computer.security &
alt.comp.hardware newsgroup with people knowledgeable about computers?

Good point - why would you post a software question to a hardware group -
perhaps because it was a virus!!

More likely if I wanted to spread a virus I'd post it to some Christian
board or something where people are less likely to be clued up about
PCs and more likely to click on it.

More likely you would post it to all of these boards!

I scanned it with Kasperky's online scanner but it found nothing. I
would be grateful if others can confirm it is OK, perhaps using Linux
for your own safety?

Did you follow any of the links I gave???

kony · Dec 23, 2005

I received an email from a friend today with a "christma.exe"
executable inside a zip file. Alarm bells started ringing, but seeing
how it was a trusted friend I thought it should be OK.

That's how a lot of viri spread, they go out through the
victims system using the address book.

Anyway, after scanning the file with my Grisoft Free antivirus, I
double clicked on it and it seemed a harmless enough Macromedia Flash
e-card.

Good grief!
Remember that with ALL new waves of viri, they have to start
spreading before being reported or observed, then
assimilated into an antivirus detection data set, which you
then eventually have to download and apply. In other words,
many people get infected with a virus their AV program will
"eventually" be able to detect.

I'm now feeling guilty that I may have let loose a Trojan on my system.
I've checked the Task Manager and there don't seem to be any rogue
processes I don't recognise.

You should tell your friend, "thank you" then "I don't open
that kind of executible attachments but thanks for the
thought". Someone who sends out EXE attachments is also
typically the kind of person who has lesser security
mindedness and more likely to be an infection point. There
is no need for an executible to play a shockwave flash file-
at least not sent WITH the animation.

Can anyone brave confirm that this is just a harmless e-card?

http://rapidshare.de/files/9683346/Christma.zip.html

It is better to just resist the temptation. An anon yahoo
address isn't exactly confidence inspiring either, even
though it's understandable why one would use it on usenet.

AN O'Nymous · Dec 23, 2005

*Psst* Your tin-foil helmet has slipped off.

Look, I'll say it here for everyone who reads it: I posted this here
for *experts* who know what they're doing to check if there is anything
wrong with the file. If you don't think you can handle a possibly
unknown infection then obviously don't download it. How much of a
genius did it take to figure that one out, especially since I already
said I was worried it might be a Trojan?

For the experts: Assume the file is infected (although AVG & Kasperky's
scans show it to be clean) and let me know if I have unwittingly
unleashed a Trojan on my computer.

GT, if you're unable to offer any constructive advice then please
refrain from doing so. There are experts better than you who can handle
an unknown virus should it turn out to be so.

AN O'Nymous · Dec 23, 2005

kony said:
You should tell your friend, "thank you" then "I don't open
that kind of executible attachments but thanks for the
thought". Someone who sends out EXE attachments is also
typically the kind of person who has lesser security
mindedness and more likely to be an infection point. There
is no need for an executible to play a shockwave flash file-
at least not sent WITH the animation.

Damn, now I'm worried. The person which sent it to me should be clued
up about security issues to at least an above average level, which
makes it suspicious and which also made me "trust" the attachment more.

It is better to just resist the temptation. An anon yahoo
address isn't exactly confidence inspiring either, even
though it's understandable why one would use it on usenet.

Well, if there are computer security experts out there reading this,
could you please check the file for me? Assume it is a trojan for your
safety, but please let me know if I have a rogue virus on my PC!

kony · Dec 23, 2005

Well, if there are computer security experts out there reading this,
could you please check the file for me? Assume it is a trojan for your
safety, but please let me know if I have a rogue virus on my PC!

I attempt to be helplful rather than rude when I suggest
that this is not the right forum for your post, there are
security and virus related groups that would certainly be a
better match. In particular some participants in those
groups might already have a box set up in isolation for such
testing.

AN O'Nymous · Dec 24, 2005

kony said:
I attempt to be helplful rather than rude when I suggest
that this is not the right forum for your post, there are
security and virus related groups that would certainly be a
better match. In particular some participants in those
groups might already have a box set up in isolation for such
testing.

Thanks Kony. I was simply casting my net far and wide as I reckoned the
odds of meeting someone who was knowledgeable enough about monitoring
rogue processes was fairly slim. I got a mixed response at
alt.computer.security.

I suppose the best thing to do would be to email it to an antivirus
company and ask them to check - do you know if antivirus companies do
this as a matter of course and if so what address I should send it to?

kony · Dec 24, 2005

Thanks Kony. I was simply casting my net far and wide as I reckoned the
odds of meeting someone who was knowledgeable enough about monitoring
rogue processes was fairly slim. I got a mixed response at
alt.computer.security.

I suppose the best thing to do would be to email it to an antivirus
company and ask them to check - do you know if antivirus companies do
this as a matter of course and if so what address I should send it to?

I suppose you could submit it to one telling them you
suspect it to be a virus but that's not quite an accurate
description of the situation, if you see nothing suspicious
after running it, it "likely" isn't one. Don't know which
av firm would be most receptive to it, you might just Google
for some online antivirus scanners and scan the system a few
more times.

GT · Dec 27, 2005

AN O'Nymous said:
*Psst* Your tin-foil helmet has slipped off.

Look, I'll say it here for everyone who reads it: I posted this here
for *experts* who know what they're doing to check if there is anything
wrong with the file. If you don't think you can handle a possibly
unknown infection then obviously don't download it. How much of a
genius did it take to figure that one out, especially since I already
said I was worried it might be a Trojan?

For the experts: Assume the file is infected (although AVG & Kasperky's
scans show it to be clean) and let me know if I have unwittingly
unleashed a Trojan on my computer.

GT, if you're unable to offer any constructive advice then please
refrain from doing so. There are experts better than you who can handle
an unknown virus should it turn out to be so.

.... and plenty of others who browse these groups for information and
interest who may download your virus and not be able to handle it! You
shouldn't post viruses full-stop. I personally don't have the time to trace
your IP address from your post, but someone should report you for posting a
virus link to a newsgroup and you would at least have your news posting
privileges revoked and at worst, face a prison sentence, should your post
cause any damage to others' PCs!

I repeat - read one of the links I originally posted or just Google for
"Christma.exe + remove" and you will be able to clean the virus from your
system. This advice is directed both at the original 'anonymous' virus
poster and anyone else who has made the mistake of downloading his file!

AN O'Nymous · Dec 27, 2005

GT said:
... and plenty of others who browse these groups for information and
interest who may download your virus and not be able to handle it! You
shouldn't post viruses full-stop. I personally don't have the time to trace
your IP address from your post, but someone should report you for posting a
virus link to a newsgroup and you would at least have your news posting
privileges revoked and at worst, face a prison sentence, should your post
cause any damage to others' PCs!

Rubbish. It has to be established that I intended malicious damage to
other user's PCs, which will be an uphill battle for paranoids like you
considering my posts have had "Warning - Possible virus" stuck all over
them.

In addition you have not even shown that the link I posted IS a virus.
If it was an old virus, then why did two virus scans from two separate
companies miss it? This part clearly dismisses your conspiracy theory
that I'm out to infect other user's PCs.

I repeat - read one of the links I originally posted or just Google for
"Christma.exe + remove" and you will be able to clean the virus from your
system. This advice is directed both at the original 'anonymous' virus
poster and anyone else who has made the mistake of downloading his file!

Yes, I suppose since I have a file called "GT is a paranoid conspiracy
theorist" on my PC, it must be true. And you are assuming I haven't
read the links. Like I said, I Googled for Christma.exe first thing
before I posted here asking for help, and getting stabbed in the back
instead from you.

AN O'Nymous · Dec 27, 2005

GT said:
... and plenty of others who browse these groups for information and
interest who may download your virus and not be able to handle it! You
shouldn't post viruses full-stop. I personally don't have the time to trace
your IP address from your post, but someone should report you for posting a
virus link to a newsgroup and you would at least have your news posting
privileges revoked and at worst, face a prison sentence, should your post
cause any damage to others' PCs!

Rubbish. It has to be established that I intended malicious damage to
other user's PCs, which will be an uphill battle for paranoids like you
considering my posts have had "Warning - Possible virus" stuck all over
them.

In addition you have not even shown that the link I posted IS a virus.
If it was an old virus, then why did two virus scans from two separate
companies miss it? This part clearly dismisses your conspiracy theory
that I'm out to infect other user's PCs with a 20-year old virus. LOL!

I repeat - read one of the links I originally posted or just Google for
"Christma.exe + remove" and you will be able to clean the virus from your
system. This advice is directed both at the original 'anonymous' virus
poster and anyone else who has made the mistake of downloading his file!

Yes, I suppose since I have a file called "GT is a paranoid conspiracy
theorist" on my PC, it must be true. And you are assuming I haven't
read the links. Like I said, I Googled for Christma.exe first thing
before I posted here asking for help, and getting stabbed in the back
instead from you.

AN O'Nymous · Dec 27, 2005

GT said:
... and plenty of others who browse these groups for information and
interest who may download your virus and not be able to handle it! You
shouldn't post viruses full-stop. I personally don't have the time to trace
your IP address from your post, but someone should report you for posting a
virus link to a newsgroup and you would at least have your news posting
privileges revoked and at worst, face a prison sentence, should your post
cause any damage to others' PCs!

Rubbish. It has to be established that I intended malicious damage to
other user's PCs, which will be an uphill battle for paranoids like you
considering my posts have had "Warning - Possible virus" stuck all over
them.

In addition you have not even shown that the link I posted IS a virus.
If it was an old virus, then why did two virus scans from two separate
companies miss it? This part clearly dismisses your conspiracy theory
that I'm out to infect other user's PCs with a 20-year old virus. LOL!
When what you're saying is spelt out exactly, it sure sounds absurd,
doesn't it?

I repeat - read one of the links I originally posted or just Google for
"Christma.exe + remove" and you will be able to clean the virus from your
system. This advice is directed both at the original 'anonymous' virus
poster and anyone else who has made the mistake of downloading his file!

Yes, I suppose since I have a file called "GT is a paranoid conspiracy
theorist" on my PC, it must be true.

And you are assuming I haven't read the links. Like I said, I Googled
for Christma.exe first thing before I posted here asking for help, and
getting stabbed in the back instead from you.

Lou · Dec 28, 2005

AN said:
And you are assuming I haven't read the links. Like I said, I Googled
for Christma.exe first thing before I posted here asking for help, and
getting stabbed in the back instead from you.

Virus Total
_______________________________________________

Scan results
File: Christma.exe
Date: 12/28/2005 19:26:01 (CET)
----
AntiVir 6.33.0.70/20051228 found nothing
Avast 4.6.695.0/20051228 found nothing
AVG 718/20051227 found nothing
Avira 6.33.0.70/20051228 found nothing
BitDefender 7.2/20051228 found nothing
CAT-QuickHeal 8.00/20051228 found nothing
ClamAV devel-20051108/20051226 found nothing
DrWeb 4.33/20051228 found nothing
eTrust-Iris 7.1.194.0/20051227 found nothing
eTrust-Vet 12.4.1.0/20051228 found nothing
Ewido 3.5/20051228 found nothing
Fortinet 2.54.0.0/20051228 found nothing
F-Prot 3.16c/20051228 found nothing
Ikarus 0.2.59.0/20051228 found nothing
Kaspersky 4.0.2.24/20051228 found nothing
McAfee 4661/20051228 found nothing
NOD32v2 1.1342/20051228 found nothing
Norman 5.70.10/20051228 found nothing
Panda 8.02.00/20051228 found nothing
Sophos 4.01.0/20051228 found nothing
Symantec 8.0/20051228 found nothing
TheHacker 5.9.1.063/20051228 found nothing
UNA 1.83/20051228 found nothing
VBA32 3.10.5/20051228 found nothing

AN O'Nymous · Dec 28, 2005

Wow, thanks Lou. Excellent sleuthing! :-)

How did you get access to so many antivirus scanners? I was only able
to scan it with AVG and Kaspersky because AVG is what I have on my PC
and Kaspersky had a free online scanner you can submit suspect files to.

Lou · Dec 28, 2005

AN said:
Wow, thanks Lou. Excellent sleuthing!

How did you get access to so many antivirus scanners? I was only able
to scan it with AVG and Kaspersky because AVG is what I have on my PC
and Kaspersky had a free online scanner you can submit suspect files to.

Thank these kind folks:

http://www.virustotal.com/flash/index_en.html

HTH