Rock on with the Storm Worm

Never to rest on their laurels, the Storm Worm gang brings us yet another new twist in how they are trying to get you to infect your PC. 

This new Storm variant follows in the footsteps of the Google Spam with a purported video download that I blogged about on April 3rd except that Storm is trying to convince you that you want to view a new music video that has just been released.

Here is an example of one of the messages that came into our Threat Operations Center:

Eagles just made a new video. See it here before it releases. Cut and
paste the link in your browser to get the video:
hxxp://zbrkfdxd[deleted].blogspot.com

All of the examples that we have seen thus far have been random subdomains off of blogspot.com, a popular, free blog hosting site.  When the link in the email is clicked you are immediately redirected to hxxp://giftapplys.cn (registered on April 8th) which serves up the below page:



Both the fake video player and the "Download it" link point to the malware download.  Interestingly enough, the video player points to a file named StormCodec.exe and the Download It link points to a file named StormCodec8.exe.  These files have the same md5 checksum (2f16017932e729b8a9f1f5c07eec9b99), however so despite their different names, they are actually the same file.

We've only seen about 50,000 of these messages over the last 24 hours (I say "only" because many Storm Worm variants are in the millions within their first day) so this tactic isn't too popular at the moment, but is new and different from previous tactics so is definitely something to keep on the lookout for.