It looks like the Waledac botnet folks are at it again...new e-card spam with links to malware using a Valentine's Day theme.

The email itself is your standard fare e-card Valentine's Day lure (subject lines starting with "You've got an e-card at <random greeting card domain>", however differing from many previous incarnations of e-card spam the From address does not try to spoof any of the common greeting card web sites (mistake number 1):

----------------------------------------
Ted just mailed to you an Online greeting card and wrote this to you:
"You're So Sweet!"

You may pick it up from:
hxxp://yyiet.worshiplove.com/?ID=769bdb96a22c0866ea1ecb731
Your eCard will be available for the next 20 days.
----------------------------------------

We have also seen samples of this tactic linking to yourgreatlove.com, a known Waledac domain. 

Clicking the link in the email will bring you to a cute web site with puppies giving you "the eyes" enticing you to download their malware:



Clearly there is a disconnect between the email which is telling you to pick up your e-card and the web site which is asking you to download a "Valentine Devkit" (mistake number 2).  As a result of this perceived error, volumes are very low (only a few here and there thus far), but this does appear to be a sign that the Waledac gang is gearing up for some kind of Valentine's Day campaign. 

The commercial AV guys don't appear to be up on this one yet so keep your eyes open!  We'll be monitoring the Waledac guys up to and through Valentine's Day this weekend and will post any new variants that we see coming from these guys here.