Storm is back, and according to TrendLabs researchers, the infamous malware family has added yet another twist to its tactics.

“(It) looks like Yahoo! will have its hands full in the next couple of days,” Senior Threat Researcher Ivan Macalintal says. “There are limited reports that the Storm worm may be spamming emails with links to a Geocities site. This was seen in the monitoring of the spam templates being sent via Storm communications to its botnets.”

An example of a Geocities URL found in the spam templates is: http://geocities.com/{BLOCKED}Ramirez26.

The links contained within the said messages point to various accounts created under the popular Yahoo!-managed Geocities site. However, what appears to be links to personal Web sites hosted on Geocities are actually URLs that redirect to http://{BLOCKED}.{BLOCKED}.238.36/aes/, where a user is coaxed into downloading an “iPix plug-in” (from http://{BLOCKED}.{BLOCKED}.238.36/iPIX-install.exe).

Unfortunately, the iPix plug-in, which Trend Micro detects as TROJ_ZBOT.BJ, downloads more malicious files from the following sites:

• http://{BLOCKED}.255.94.99/bot/filenl.bin
• http://{BLOCKED}.255.94.99/bot/filenl2.exe

The said URLs have been observed to host phishing sites in the past.

This newest chapter in the Storm saga proves that the creators of the said malware are still very much active. Its use of a popular free server like Geocities and disguising itself as a plug-in may mean that they are still looking for more systems to infect. Storm has been notorious for its changing routines, and one could only guess how — and when — the Storm malware will attack next.