As we had already forecast last month, Storm is already sending their Valentine greetings this week. The owners of this powerful botnet are doing as much as possible to keep their size up. This includes spamming people with messages containing plain text and making them click on malicious links. They may arrive looking like these two email messages:
This time around, the messages are of love.
The spammed messages contain a link that leads to malicious Web sites displaying one of eight cute Valentine images shown below.
As usual, if you run the executable named VALENTINE.EXE, your system will inevitably join the Storm botnet to start spamming other Internet users…not very loving of them, right? In any case, have a happy (and Storm-free) Valentine’s Day!
Update by Lordian Mosuela, Escalation Engineer:
Here are a couple of samples of how the images above appear inside the Web sites referred to by the spammed email messages:
Below is the source code of the Web page in the spammed email message in the first image. Unlike other NUWAR Web pages that use Defanged HTML scripts, this new variant was rather straightforward. Users are able to see quite plainly that the image was referenced to a file named VALENTINE.EXE.
Upon clicking the image in the Web page, the user is prompted to download the mentioned file.
There were no changes in this new NUWAR variant’s main P2P routine. The only difference is that the malware author created a new executable module that is capable of loading a kernel service file driver which uses an anti-emulation technique with the use of dummy APIs (Application Programming Interface) in order to bypass antivirus detection.
The executable is detected by Trend Micro as WORM_NUWAR.AR.
Additional images provided by Lalaine Gregorio of the Content Security Team