Security vendor PC Tools is warning users about a round of malicious "hallmark.exe" files. The files are distributed by email and have been downloaded and run by members of the Threatfire user community.
The executables, delivered via email, show scenic images with unthreatening names such as "xmas.jpg". Download the file, however, and the results are far from pleasant.
According to PC Tools the hallmark dot-exes download multiple IRCbot components. They copy out an apparently benign windows system file - "spoolsv.exe"- to windows\temp\spoolsv. This is a common IRC application.
Loads of configuration files are copied out, until the app can phone home to port 6667 on a number of undernet.org and servebeer.com sites.
Like so many instanced of malware, the issue here is context: the mIRC app can in fact be used legitimately. But it can be misused; and if you've downloaded it unwittingly, it probably will be. You don't want to leave this particular door open.
Frankly, it amazes me that anyone would download a file from an email without being 100 percent sure it came from a legitimate, known source. Come on people, it's not 1999.
It's even more surprising that people security savvy enough to install and use a free behavioural tool such as Threatfire would be dappy enough to get caught out this way. The bad guys usually aim for the lowest hanging fruit.
So we can safely assume that the threat appears credible, and is delivered in volume. As ever, think before you download.