IT Security Blog

Of course it is appropriate that on the same day we write about the author of fast flux pleading guilty to a felony that we see another Storm Worm variant come out.  Granted, new Storm Worm variants are nothing new.  They come out all the time.  I figured I would send out some red flags on this one because as of the time of this writing AV identification of this new variant is less than 10%.

The lure is your typical one-liner type of email which has a love lure in the message body such as "I Want You, I Need You, I Love You" or "You are in my heart" followed by a link to a web site that serves up two executables (both linked to Storm).

This is a screen shot of what the site looks like:



Clicking on the banner at the top of the page attempts to download a file named winner.exe.  Clicking the "Click Here" link attempts to download mylove.exe.

Here are the virustotal.com results for winner.exe and mylove.exe:

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	-
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	-
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	Suspicious file
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

Antivirus	Version	Last Update	Result
AhnLab-V3	2008.7.1.0	2008.06.30	-
AntiVir	7.8.0.59	2008.06.30	-
Authentium	5.1.0.4	2008.06.29	-
Avast	4.8.1195.0	2008.06.30	-
AVG	7.5.0.516	2008.06.30	-
BitDefender	7.2	2008.06.30	Trojan.Peed.JLV
CAT-QuickHeal	9.50	2008.06.30	-
ClamAV	0.93.1	2008.07.01	-
DrWeb	4.44.0.09170	2008.06.30	-
eSafe	7.0.17.0	2008.06.30	Suspicious File
eTrust-Vet	31.6.5914	2008.06.30	-
Ewido	4.0	2008.06.27	-
F-Prot	4.4.4.56	2008.06.29	-
F-Secure	7.60.13501.0	2008.06.26	-
Fortinet	3.14.0.0	2008.07.01	-
GData	2.0.7306.1023	2008.06.30	-
Ikarus	T3.1.1.26.0	2008.06.30	Email-Worm.Win32.Zhelatin.zy
Kaspersky	7.0.0.125	2008.07.01	-
McAfee	5328	2008.06.30	-
Microsoft	1.3704	2008.07.01	-
NOD32v2	3229	2008.06.30	-
Norman	5.80.02	2008.06.30	-
Panda	9.0.0.4	2008.07.01	-
Prevx1	V2	2008.07.01	-
Rising	20.51.02.00	2008.06.30	-
Sophos	4.30.0	2008.07.01	-
Sunbelt	3.1.1509.1	2008.06.30	-
Symantec	10	2008.07.01	-
TheHacker	6.2.96.365	2008.07.01	-
TrendMicro	8.700.0.1004	2008.06.30	-
VBA32	3.12.6.8	2008.06.30	-
VirusBuster	4.5.11.0	2008.06.30	-
Webwasher-Gateway	6.6.2	2008.06.30	-

So, as you can see, AV pickup so far has been non-existent although I am sure it will pick up soon.  The IPs that are hosting the infected URLs are being rotated using fast flux.  In just the 15 minutes that I have been monitoring some of the sites they have already changed IPs several times. 

This is not likely to be the only time this week that we hear from Storm.  Last year during the July 4th holiday is when we started to see the big fake e-card Storm surge.  Although most people are used to seeing these by now, they always manage to be popular social engineering lures nonetheless. 

Expect to see some revisit of Storm sometime later this week.  It might not be e-cards, but in following with Storm's tradition of releasing new variants on or near holidays, I would be very surprised if a Storm weren't already brewing.