Storm Sure Loves Everybody

February 11th, 2008 by David Sancho (Threats Analyst)

As we had already forecast last month, Storm is already sending their Valentine greetings this week. The owners of this powerful botnet are doing as much as possible to keep their size up. This includes spamming people with messages containing plain text and making them click on malicious links. They may arrive looking like these two email messages:

This time around, the messages are of love.

The spammed messages contain a link that leads to malicious Web sites displaying one of eight cute Valentine images shown below.

As usual, if you run the executable named VALENTINE.EXE, your system will inevitably join the Storm botnet to start spamming other Internet users…not very loving of them, right? In any case, have a happy (and Storm-free) Valentine’s Day!

Update by Lordian Mosuela, Escalation Engineer:

Here are a couple of samples of how the images above appear inside the Web sites referred to by the spammed email messages:

Below is the source code of the Web page in the spammed email message in the first image. Unlike other NUWAR Web pages that use Defanged HTML scripts, this new variant was rather straightforward. Users are able to see quite plainly that the image was referenced to a file named VALENTINE.EXE.

Upon clicking the image in the Web page, the user is prompted to download the mentioned file.

There were no changes in this new NUWAR variant’s main P2P routine. The only difference is that the malware author created a new executable module that is capable of loading a kernel service file driver which uses an anti-emulation technique with the use of dummy APIs (Application Programming Interface) in order to bypass antivirus detection.

The executable is detected by Trend Micro as WORM_NUWAR.AR.

Additional images provided by Lalaine Gregorio of the Content Security Team

Print Posts
1 Star2 Stars3 Stars4 Stars5 Stars (14 votes, average: 4.57 out of 5)
Loading ... Loading ...

Trackback

TrackBack URL for this entry:
http://blog.trendmicro.com/storm-sure-loves-everybody/trackback/

Listed below are links to weblogs that reference Storm Sure Loves Everybody:

  • TechWatch@AWBHoldings.com&hellip  |  Tracked on February 11th, 2008 at 10:30 pm

    [...] TrendLabs Malware Blog warns people that the most prolific worm of 2007 (and most prolly 2008), Storm, is exploiting this event. These spam emails contain links to Web sites. DO NOT CLICK ON THOSE LINKS, of course. Bookmark to: [...]

  • My life in the Netherland&hellip  |  Tracked on February 12th, 2008 at 12:07 pm

    [...] maar verwijzen wel door naar malafide sites waar het mogelijk is om een e-card te downloaden. Op de sites staan zeker acht verschillende afbeeldingen met hartjes, Winnie the Pooh en teksten als [...]

  • FBI warns before Valentin&hellip  |  Tracked on February 14th, 2008 at 6:17 am

    [...] Web sites displaying one of eight cute Valentine images,” he said. Sancho’s post cycled through the images that Trend Micro captured from the malware-serving sites. “If you run the executable named [...]

  • Tynan on Technology (beta&hellip  |  Tracked on February 16th, 2008 at 11:19 am

    [...] lure visitors to a malware-laden site, where they’re prompted to launch an executable greeting card that infects them with the Storm Trojan. And then afterwards never [...]

Subscribe in a reader

Most Recent Posts

Most Popular Posts

Links

Blogroll


Scan for free!