Holidays and popular annual events as a social engineering tool in spamming is a signature Storm technique. The following spammed email message should then cement WALEDAC’s association with the said bot giant.
Figure 1. Spammed Valentine’s greetings.
These messages flood inboxes weeks before Valentine’s day, also typical of previous Storm spam runs. Clicking on the link redirects a user to a site with a heart images. When this page is clicked, the user is prompted to download a file, malicious of course, detected by Trend Micro as WORM_WALEDAC.AR.
Figures 2 & 3. The link in the email leads to malware.
WORM_WALEDAC.AR propagates by spamming email messages with malicious links where copies of the same worm are downloaded. Like other WALEDAC variants, it compromises the security of infected systems by opening random ports to listen for commands from a remote user.
These other earlier threats by this same malware family exhibit routines and characteristics very similar to Storm:
- Fake Obama News Sites Abound
- What is Old is New Again: Malicious New Year e-Card Spam
- Merry Malware Greetings Flooding Inboxes
Beside the social engineering techniques used in email, following are the similar methods applied by this worm family:
- Fast-flux networks and several different name servers used per domain
- Files names ecard.exe and postcard.exe
- In some instances, the installation of rogue antispyware
The Trend Micro Smart Protection Network blocks the email messages spammed by this worm, and detects the worm itself so it doesn’t run from systems anymore. Users should be careful in clicking links in spammed messages and in downloading files from unknown websites.